In the realm of industrial control systems (ICS), network relays play a crucial role in managing and protecting the power grid. The GE Vernova N60 Network Relay is one such device, designed to provide protection, control, and monitoring for electrical substations. This device ensures the reliable operation of power distribution by monitoring electrical parameters and responding to faults or abnormal conditions. However, like any network-connected device, the GE Vernova N60 is susceptible to cybersecurity threats that could have serious implications for both the device itself and the broader industrial environment it protects.
Nozomi Networks Labs recently uncovered and responsibly reported three vulnerabilities related to both the N60 Network Relay device and the client-side software EnerVista UR, a specialized tool developed by GE Vernova to facilitate interaction between human operators and the relay.
An adjacent attacker (on the same network as the targeted N60 Network Relay device) can potentially exploit a chain of two vulnerabilities to gain unauthorized access, finally taking control of the device by installing custom firmware. This type of attack poses an even greater threat, as the installation of malicious or altered firmware can grant deep, persistent control over the device, potentially allowing the attacker to manipulate or disrupt its functionality indefinitely.
Below, we take a look at the GE Vernova N60 Network Relay, and the vulnerabilities discovered by Nozomi Networks Labs.
Understanding Communication Between EnerVista UR and the N60 Network Relay
The EnerVista UR client software is critical for configuring the relay, monitoring its status, and performing updates or maintenance tasks. Multiple functionalities are provided to the user for discovering devices on the network, connecting to them, and sending requests to retrieve and potentially export information. Figure 1 shows the main EnerVista UR user interface.
Communication between the EnerVista UR client and the N60 device is established via a custom protocol built on Modbus, an insecure communication protocol (as it was not designed with encryption or robust security mechanisms) that is older but still widely used in industrial systems. To mitigate these security weaknesses, the custom protocol employed by EnerVista UR is layered over SSH (Secure Shell), a network protocol known for providing secure, encrypted communication channels over potentially unsecured networks. In this way, all sensitive data exchanged by the Modbus protocol is secured by SSH, which provides encryption and a secure authentication mechanism. The combination of these two protocols offers a balance between compatibility with existing industrial protocols and the need for secure communications.
Despite these security enhancements, Nozomi Networks Labs uncovered three vulnerabilities affecting both the EnerVista UR software and the GE Vernova N60 device. These flaws can be practically exploited in any situation where the asset owner has not independently implemented additional defense-in-depth measures at both the system and network levels, such as intrusion detection systems or strict network access controls.
Vulnerabilities in the GE Vernova N60 Network Relay
Nozomi Networks Labs revealed two vulnerabilities within the N60 Network Relay that expose it to potentially impactful cyberattacks.
The first vulnerability happens during the SSH-based authentication process. Since the N60 relay doesn’t verify some crucial client-provided information required to establish the authenticated channel (created through the SSH port forwarding functionality), a remote and unauthenticated attacker can exploit this issue to force the N60 relay to redirect the received network traffic to an arbitrary target (i.e., IP address and TCP/IP port). This condition allows firewall rules to be bypassed, anonymizing malicious traffic on the network. CVE-2025-27253 has been assigned to this vulnerability with a score of 6.1 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L). Figure 3 shows how the attack described may work over a network.
The second vulnerability enables the installation of malicious firmware on the GE N60 device. Since firmware is the core software that governs the device’s essential functions, compromising it could allow an attacker to take full control of the relay, potentially leading to blackouts or equipment damage.
Research conducted by Nozomi Network Labs demonstrated that an authenticated attacker could exploit this vulnerability because firmware signature validation is only enforced on the client side by the EnerVista UR software, but not on the device itself. By modifying the original firmware and replaying the legitimate requests generated by EnerVista UR, an attacker can trick the device into installing a compromised firmware image, thereby gaining complete control over the device. This vulnerability has been identified with the id CVE-20245-27257 with a score of 6.1 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H). The effect of this vulnerability is reduced because authentication is required, and its severity varies based on the level of network security in place.
Vulnerabilities in the EnerVista UR Client Software
In addition to the vulnerabilities found in the GE Vernova N60 device, a security flaw has also been identified in the client-side software, EnerVista UR, which is used to interact with and manage the relay.
The EnerVista UR software does not verify whether the device it is connecting to is authentic or not (i.e., potentially controlled by an attacker). This lack of authentication allows a malicious actor with access to the network to intercept and potentially manipulate the communication between EnerVista and the physical device.
By capturing this network traffic, the attacker could gain access to sensitive information, such as user credentials sent to the N60 Network Relay device during the authentication phase. With these credentials, the attacker could then gain unauthorized access to the N60 relay, posing a significant threat to the security and stability of the entire system. The MITM attack could also enable the attacker to inject malicious commands into the communication stream, further compromising the operation of the relay. The vulnerability has been published with the ID CVE-2025-27256 with a score of 8.3 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H). Figure 4 shows an example of the SSH credentials an attacker could gain, using the popular SSH-MITM tool to intercept an SSH connection request performed by the EnerVista UR software.
Impacts and Remediation
A possible impact arises from chaining two vulnerabilities: the MITM attack over the authentication between EnerVista UR and the GE Vernova N60 device (CVE-2025-27256) and the absence of firmware verification (CVE-2025-27257) on the N60 Network Relay itself.
By executing the MITM attack, an attacker can intercept and acquire valid credentials for the GE Vernova N60 Network Relay. With these credentials, and due to the lack of firmware verification, the attacker can then upload malicious firmware to seize control of the device. This means that even an unauthenticated attacker with access to the network can compromise the N60 device, posing a significant security threat.
It is important to highlight that the feasibility of the scenario described may differ across different systems, as access to the same network is required. Various network security measures, including firewall rules and intrusion detection systems, may be actively employed. These security measures could significantly mitigate risks by raising alerts in the presence of network-based threats such as man-in-the-middle attacks. For instance, these systems are designed to detect techniques like ARP poisoning, normally used in such attacks. Thus, although this scenario is possible, defense-in-depth security measures can help decrease its likelihood.
Nozomi Networks Labs reported these three vulnerabilities to GE Vernova through a responsible disclosure process. GE Vernova has since analyzed and patched the vulnerabilities releasing a dedicated security advisory. To address these security issues, all customers are advised to update the EnerVista UR software to the latest 8.60 version and ensure that the N60 firmware is also upgraded to the newest available release.
Additionally, GE Vernova would like to emphasize how seriously they take the security of their own products with their own statement related to this security research:
“GE Vernova has a comprehensive cyber security program in place for enhancing the security posture of its products.
Additionally Grid Automation (GA), which is part of the Grid Solutions (GS) business, is certified under IEC 62443-4-1 and IEC 62443-3-3, which ensures a great level of rigor in applying the SDL and properly meeting security requirements at the system level.
Since the UR device is deployed in substations, using a defense in depth protection strategy at the system level is key. This includes, but is not limited to, placing the UR inside an electronic security perimeter, deploying and maintaining access controls, robust network monitoring and Intrusion Detection, network segmentation and firewalls. Strong and active password management, antivirus techniques and isolating critical systems from less secure networks will further reduce the risk of a successful attack, as is physical security for the personnel working within the electronic security perimeter. This being said, we acknowledge that more can be done at the device level and we thank Nozomi Networks for providing us with valuable insight on the issues described in this post. We are actively working towards increasing the product level robustness. This includes the addition of new processes that will ensure regular vulnerability assessments proactively and regularly performed on all active products.”
結論
The implications of vulnerabilities described in this blog post extend far beyond the immediate risks to the GE Vernova N60 Network Relay. Industrial facilities, especially those involved in critical infrastructure like power generation and distribution, rely heavily on the integrity and security of their control systems. A successful cyberattack exploiting these vulnerabilities could disrupt operations, leading to power outages, financial losses, and even threats to public safety. Furthermore, the interconnected nature of modern industrial networks means that a compromise in one device could potentially spread to other systems, magnifying the impact of an attack.
To mitigate these risks, it is essential for organizations to prioritize cybersecurity measures, including regular vulnerability assessments, prompt application of security patches, and robust network monitoring. Additionally, implementing strong access controls, encrypting communications, and isolating critical systems from less secure networks can further reduce the risk of a successful attack.
The discovery of these vulnerabilities in the N60 Network Relay and its associated software highlights the urgent need for enhanced cybersecurity in industrial environments. As cyber threats continue to evolve, protecting the devices that underpin our critical infrastructure must remain a top priority. By addressing these vulnerabilities and implementing comprehensive security strategies, industrial facilities can better safeguard their operations and ensure the continued reliability of the systems that power our world.
