CVE-2021-27424

GE UR family exposure of sensitive information to an unauthorized actor

Description

GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information.

Remediation

Solution:

  • GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).

Workaround:

  • GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. GE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system.

Categories

5.3
CVSS
Severity: Medium
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.19%
Vendor Advisory gegridsolutions.com
Affected: GE UR family
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 us government resource third party advisory mitigation
https://www.gegridsolutions.com/Passport/Login.aspx permissions required vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-27424?
CVE-2021-27424 has been scored as a medium severity vulnerability.
How to fix CVE-2021-27424?
To fix CVE-2021-27424: GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).
Is CVE-2021-27424 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-27424 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-27424?
CVE-2021-27424 affects GE UR family.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.