CVE-2021-27428

GE UR family Unrestricted Upload of File with Dangerous Type

Description

GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.

Remediation

Solution:

  • GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).

Workaround:

  • GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. GE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system.

Category

9.8
CVSS
Severity: Critical
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.24%
Vendor Advisory gegridsolutions.com
Affected: GE UR family
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 us government resource third party advisory mitigation
https://www.gegridsolutions.com/Passport/Login.aspx permissions required vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-27428?
CVE-2021-27428 has been scored as a critical severity vulnerability.
How to fix CVE-2021-27428?
To fix CVE-2021-27428: GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).
Is CVE-2021-27428 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-27428 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-27428?
CVE-2021-27428 affects GE UR family.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.