CVE-2025-7719 is a path traversal vulnerability classified under CWE-22, found in GE Vernova Smallworld software versions 5.3.5 and earlier. Smallworld is a geospatial information system widely used in utilities, telecommunications, and infrastructure management. The vulnerability arises from improper limitation of pathname inputs, allowing an attacker to craft file paths that escape the intended restricted directories. This can lead to unauthorized file manipulation, including reading, writing, or deleting files outside the application’s designated directories. The vulnerability affects both Windows and Linux deployments of Smallworld. The CVSS 4.0 vector indicates the attack can be performed remotely (AV:N) with low complexity (AC:L), requires no user interaction (UI:N), but does require low privileges (PR:L). The impact on confidentiality, integrity, and availability is low individually but combined can be significant, especially in critical infrastructure environments. No patches are currently linked, and no exploits are known in the wild, but the vulnerability is publicly disclosed and should be addressed promptly to prevent potential exploitation. The lack of user interaction and remote attack vector increase the risk profile. The vulnerability’s exploitation could allow attackers to access sensitive configuration files, manipulate operational data, or disrupt service continuity by altering critical files.

For European organizations, especially those in utilities, telecommunications, and infrastructure sectors relying on GE Vernova Smallworld, this vulnerability poses a risk of unauthorized file access and manipulation. This could lead to data breaches involving sensitive geospatial and operational data, potentially disrupting service delivery and damaging organizational reputation. The integrity of critical infrastructure data could be compromised, affecting decision-making and operational safety. The availability of services may also be impacted if attackers delete or corrupt essential files. Given the strategic importance of infrastructure in Europe and regulatory requirements around data protection and operational resilience, exploitation could result in regulatory penalties and increased scrutiny. Organizations with extensive Smallworld deployments in countries with advanced infrastructure networks are particularly vulnerable. The medium severity rating reflects a moderate but tangible risk that requires timely mitigation to avoid escalation.

1. Monitor GE Vernova’s official channels for patches addressing CVE-2025-7719 and apply them immediately upon release. 2. Until patches are available, restrict user privileges to the minimum necessary, especially limiting write and execute permissions on directories accessible by Smallworld. 3. Implement strict input validation and sanitization on all pathname inputs within the application environment to prevent traversal sequences. 4. Employ file integrity monitoring tools to detect unauthorized changes to critical files and directories used by Smallworld. 5. Use application whitelisting and endpoint protection to limit execution of unauthorized code or scripts that could exploit this vulnerability. 6. Conduct regular security audits and penetration testing focused on file system access controls within Smallworld deployments. 7. Network segmentation should isolate Smallworld servers from less trusted network zones to reduce attack surface. 8. Educate system administrators and users about the risks of path traversal vulnerabilities and encourage reporting of suspicious activity. 9. Maintain comprehensive logging and alerting on file access events to enable rapid detection and response to exploitation attempts.