CVE-2025-27253 is a vulnerability classified under CWE-15 (External Control of System or Configuration Setting) found in GE Vernova's N60 Multilin devices, specifically in versions from 7.0 up to 8.60. The flaw arises because the device improperly validates IP addresses and port numbers when establishing TCP connections through port forwarding. This lack of validation allows an attacker with network access to the device to manipulate configuration settings to create unauthorized TCP connections. By doing so, the attacker can bypass firewall rules that would normally restrict traffic, enabling malicious traffic to traverse the network undetected. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS v3.1 score is 6.1 (medium severity), reflecting the attack vector as adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and a scope change (S:C) with limited confidentiality impact (C:L), no integrity impact (I:N), and low availability impact (A:L). Although no exploits have been reported in the wild, the vulnerability could be leveraged to facilitate lateral movement within critical infrastructure networks or to exfiltrate data by circumventing network controls. The affected product, GE Vernova N60 Multilin, is widely used in industrial control systems, particularly in energy and utility sectors, making this a significant concern for operational technology (OT) environments. The vulnerability highlights the risks of insufficient input validation in configuration interfaces of critical devices, emphasizing the need for strict controls and monitoring in OT networks.

For European organizations, especially those in the energy, utilities, and industrial sectors, this vulnerability presents a risk of unauthorized network access and potential disruption of critical infrastructure operations. By exploiting this flaw, attackers could bypass firewall protections, enabling lateral movement within internal networks or injection of malicious traffic that could degrade device performance or availability. This could lead to partial denial of service or exposure of sensitive operational data, impacting confidentiality and availability. Given the strategic importance of energy infrastructure in Europe and the reliance on GE Vernova devices in many facilities, successful exploitation could have cascading effects on grid stability and service continuity. Additionally, the vulnerability could be leveraged as a foothold for more advanced attacks targeting industrial control systems. The medium severity rating reflects the balance between the ease of exploitation and the limited direct impact on integrity, but the potential for broader network compromise elevates the concern for European critical infrastructure operators.

1. Apply patches and firmware updates from GE Vernova as soon as they become available to address the vulnerability directly. 2. Restrict network access to the management interfaces of N60 Multilin devices using network segmentation and access control lists (ACLs) to limit exposure to trusted hosts only. 3. Implement strict firewall rules that monitor and control port forwarding configurations and prevent unauthorized changes. 4. Deploy network intrusion detection and prevention systems (IDS/IPS) tuned to detect anomalous TCP forwarding or unusual connection patterns related to these devices. 5. Conduct regular configuration audits and integrity checks on N60 Multilin devices to detect unauthorized modifications. 6. Use network segmentation to isolate operational technology (OT) environments from corporate IT networks, reducing the attack surface. 7. Train operational staff to recognize signs of network anomalies and suspicious device behavior. 8. Establish incident response procedures specific to OT environments to quickly contain and remediate potential exploitation attempts.