GE Vernova published two product security advisories on November 6, 2025.
Specifically, these are CVE-2025-7719 (Smallworld SWMFS Arbitrary File Operations) and CVE-2025-3222 (Smallworld SWMFS – Improper Authentication).
The specific assessment of the risk depends largely on many individual factors, which can vary from installation to installation or from customer to customer. An evaluation based on the CVSS (Common Vulnerability Scoring System) standard can make a significant contribution to the assessment. We are happy to assist you in determining your individual risk and recommend using the online form ‘Common Vulnerability Scoring System Version 4.0 Calculator’.
As essential recommendations for action in the context of the above GE product safety notices, we recommend:
- the use of a local user with severely restricted rights for running the Smallworld Masterfile Server (`swmfs`)
- using Smallworld Masterfile Server version 5.3.6 or higher, if it is possible in your environment
- following the Smallworld ‘Secure Deployment Guide’ and all related documents listed there
- assessing the vulnerability of your environment according to CVSS (see above).
If you have completely migrated to Smallworld version 5.3.6, use one of the two external authentication methods recommended by GE, and follow GE’s Secure Deployment Guidelines for operation and installation, you can ignore the product security notices listed above.
If you have any questions, please do not hesitate to contact our support team or your specific project manager during our regular business hours.