Vulnerabilities in GE Vernova’s Grid Solutions EMS (Energy Management System) platform have been disclosed through coordinated researcher notification, with CISA publishing an advisory covering two flaws: an unauthenticated path traversal (CVE-2026-6103) and a post-authentication privilege escalation (CVE-2026-6104). The platform is used by electric utilities, independent system operators, and transmission system operators for real-time grid monitoring, dispatch, and control.

GE Vernova Grid Solutions EMS in Context

GE Vernova’s Grid Solutions portfolio — formerly GE Grid Solutions and Power Systems prior to the GE-Vernova separation — includes energy management systems deployed by some of the largest grid operators globally. The EMS platform provides real-time SCADA functions for grid operators: network model management, state estimation, contingency analysis, automatic generation control (AGC), and operator display systems used for grid dispatch decisions.

EMS platforms sit at the top of the operational technology hierarchy in a utility. They aggregate data from hundreds or thousands of substations via ICCP (TASE.2) or other protocols, provide the operational picture for control room operators, and in automated configurations execute AGC commands that directly affect generation output. Security flaws in an EMS have broader potential impact than a single substation device.

CVE-2026-6103 — Unauthenticated Path Traversal (CVSS 8.6)

The EMS platform’s web-based operator interface contains an unauthenticated path traversal vulnerability in its file serving component. An unauthenticated attacker with network access to the EMS web server can craft a URL request using ../ sequences to access files outside the intended web document root.

Exploitable paths include:

  • EMS configuration files containing ICCP partner addresses, database schema definitions, and alarm threshold configurations
  • Certificate and credential store locations (depending on OS-level permissions)
  • Application log files containing operator session data and network model queries

The path traversal does not directly grant code execution or write access, but the configuration and credential material accessible via the flaw is operationally significant and can be used to stage further attacks against the EMS or its ICCP communication partners.

Affected versions: GE Vernova Grid Solutions EMS prior to release 8.7.2.

CVE-2026-6104 — Privilege Escalation via Insecure Process Invocation (CVSS 7.8)

A post-authentication privilege escalation exists in the EMS platform’s diagnostic tools component. An authenticated attacker with standard operator privileges can exploit an insecure process invocation in a diagnostic script to execute commands as the EMS service account — which runs with elevated OS privileges.

Successful exploitation requires valid operator credentials. In the context of a supply chain compromise, stolen credential reuse, or insider threat scenario, this flaw provides a path from operator-level access to full EMS server compromise.

Affected versions: Same as CVE-2026-6103.

Remediation

GE Vernova has released EMS version 8.7.2 addressing both vulnerabilities. Given the criticality of EMS platforms to utility operations, update planning should follow the organisation’s standard change management process for production EMS systems — typically requiring a maintenance window with grid operations coordination.

Immediate compensating controls:

  1. Restrict EMS web interface access — allow only authorised engineering workstations and operator terminals to reach the EMS web server (TCP 443/8443). Block access from corporate IT networks and any network segment not operationally required.

  2. ICCP communication controls — review ICCP partner configurations and ensure only authorised ICCP partners (peer utilities, ISOs) are permitted to connect.

  3. Audit operator credential assignments — review accounts with operator-level access to the EMS. Reduce to minimum required. Ensure multi-factor authentication is enforced for all remote access paths.

  4. Enhanced logging — increase EMS audit log verbosity and export logs to a SIEM for anomaly detection while awaiting patch application.

Broader Pattern

This advisory continues a documented trend of vulnerabilities in energy management systems and SCADA platforms used at the grid operations layer. Volt Typhoon’s documented pre-positioning in US utility OT networks and the continued targeting of energy sector critical infrastructure by multiple nation-state threat actors make EMS-layer vulnerabilities a priority concern. An EMS compromise does not automatically translate to a grid outage, but it represents access to the system that would be used to manage and respond to one.

References

Tags
GE-VernovaGrid-SolutionsEMSSCADAenergy-managementpath-traversalprivilege-escalationelectric-utilityCVE-2026-6103CVE-2026-6104