Critical GE Vernova ICS Flaw (CVE-2025-3222, CVSS 9.3) Allows Authentication Bypass in Smallworld Master File Server
Ddos 
GE Vernovaβs Electrification Software division has released a critical security advisory addressing a high-severity authentication vulnerability (CVE-2025-3222) in its Smallworld Master File Server (SWMFS) software. The flaw, rated CVSS v4.0 score 9.3 (Critical), could enable an attacker to circumvent authentication and potentially perform elevated commands in certain deployment configurations.
The vulnerability impacts Smallworld deployments from v3.0.0 up to v5.3.3 (Linux) and up to v5.3.4 (Windows). According to GE Vernova, exploitation requires βa user with knowledge of the system, the underlying protocol, and the rights associated to users with already provisioned access.β
This nuance suggests the attack is not remotely exploitable by unauthenticated outsiders, but could be abused by insiders or compromised accounts within operational environments.
βExploit of the vulnerability is only possible by a user with knowledge of the systemβ¦ Secure deployment and strong access management for users is essential,β the advisory emphasized. βGE Vernova strongly recommends that customers adhere to the most recent Secure Deployment Guide instructions.β
The issue has been fully resolved in the following versions:
- v5.3.4 for Linux SWMFS users
- v5.3.5 for Windows SWMFS users
GE Vernova urges customers to upgrade to these fixed releases as the βmost complete method to address the vulnerability.β
The company further noted that any Smallworld deployment not using desktop authentication via an authentication server, such as UAA or Zitadel, remains exposed if not aligned with secure deployment guidelines.
Because Smallworld is widely used in Operational Technology (OT) and Industrial Control Systems (ICS) networks, improper authentication could have serious implications for grid operators, utilities, and energy infrastructure providers. GE Vernova acknowledged this sensitivity and urged customers to review their defense-in-depth strategies, including network segmentation and isolation practices.
Customers are encouraged to contact their local GE Vernova support representative to obtain updated software builds and to sign up for automatic notifications via the GE Vernova Digital Support portal.
Related Posts:
- DHS warns high-risk vulnerabilities in over 10 medical devices
- New Alert: Amadey Trojan Spearheads APT-C-36’s Malicious Campaign
- 1Password Free Family Plan: How to Keep Getting 1 Year of Free Premium Access
- Positive Technologies: “73 percent of industrial organizationsβ networks are vulnerable to hackers”
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
