CVE-2021-27418

GE UR family input validation

Description

GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.

Remediation

Solution:

  • GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).

Workaround:

  • GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. GE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.22%
Vendor Advisory gegridsolutions.com
Affected: GE UR family
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 us government resource third party advisory mitigation
https://www.gegridsolutions.com/Passport/Login.aspx permissions required vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-27418?
CVE-2021-27418 has been scored as a medium severity vulnerability.
How to fix CVE-2021-27418?
To fix CVE-2021-27418: GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).
Is CVE-2021-27418 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-27418 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-27418?
CVE-2021-27418 affects GE UR family.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.