EUVD-2025-17678

| CVE-2025-40585 CRITICAL
Energy Services Incorrect Default Permissions (CWE-276)
2025-06-10 [email protected]
9.9
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17678
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
CVE Published
Jun 10, 2025 - 16:15 nvd
CRITICAL 9.9

DescriptionNVD

A vulnerability has been identified in Energy Services (All versions with G5DFR). Affected solutions using G5DFR contain default credentials. This could allow an attacker to gain control of G5DFR component and tamper with outputs from the device.

AnalysisAI

Critical authentication bypass vulnerability affecting Energy Services products that use the G5DFR component, where default credentials allow unauthenticated remote attackers to gain full control and tamper with device outputs. The CVSS 9.9 score reflects the severe nature of this issue-no authentication required, network-accessible, with high integrity impact across system boundaries. This vulnerability poses an immediate threat to critical infrastructure and industrial control systems relying on Energy Services with G5DFR.

Technical ContextAI

The G5DFR component in Energy Services products contains hardcoded or unchanged default credentials (CWE-276: Incorrect Default Permissions), enabling authentication bypass without privilege escalation. The affected solutions lack proper credential management during deployment, allowing remote unauthenticated access (AV:N) via standard network protocols. G5DFR appears to be a data flow or reporting component within Energy Services infrastructure; the vulnerability allows attackers to not only access the system but manipulate device outputs, suggesting the component controls critical measurement, reporting, or control signals in energy distribution or management systems. The lack of authentication controls and the ability to tamper with outputs indicates insufficient access controls and output validation mechanisms in the component's design.

RemediationAI

Immediate actions: (1) Identify all Energy Services deployments containing G5DFR using vendor documentation or asset inventory tools; (2) As an emergency measure, restrict network access to G5DFR components using firewall rules, VLANs, or network segmentation—allow only trusted administrative networks; (3) Change default credentials immediately if access to credential configuration is available, though this may not be possible if hardcoded in firmware. Vendor-specific remediation: Contact the Energy Services vendor for patched versions that remove or securely manage default credentials. Apply patches to all affected systems in priority order (critical infrastructure first). Implement network-level authentication (e.g., VPN, mutual TLS) as an interim control. Monitor access logs for authentication attempts or unauthorized tampering with outputs. Post-remediation: Conduct integrity audits of G5DFR outputs to detect any historical tampering.

Share

EUVD-2025-17678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy