The EnerVista URPC installation software versions prior to 8.70, used an incorrect method of loading the DLL (dynamic Link Library) file by referencing it relative to the location of the installation folder. If the system in which the software is installed gets compromised, an attacker could exploit this weakness and replace the legitimate DLL with a malicious file. The EnerVista UR Setup software installation has been upgraded to address this vulnerability.

As a workaround, GE Vernova recommends having secure infrastructure in place, which can protect the system. We also recommend that customers protect their digital devices using a defense-in-depth strategy. This includes, but is not limited to, placing digital devices inside the control system network security perimeter, access controls, robust network monitoring (such as Intrusion Detection System) and other mitigation techniques in place. Please refer to the product secure deployment guide. It is essential for organizations to prioritize cybersecurity measures, including regular vulnerability assessments and prompt application of security patches.