CVE-2021-27430

GE UR family hardcoded credentials

Description

GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.

Remediation

Solution:

  • GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).

Workaround:

  • GE recommends protecting UR IED by using network defense-in-depth practices. This includes, but is not limited to, placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. GE recommends users refer to the UR Deployment guide for secure configuration of UR IED and system.

Category

8.4
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.08%
Vendor Advisory gegridsolutions.com
Affected: GE UR bootloader binary
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-21-075-02 us government resource third party advisory mitigation
https://www.gegridsolutions.com/Passport/Login.aspx permissions required vendor advisory

Frequently Asked Questions

What is the severity of CVE-2021-27430?
CVE-2021-27430 has been scored as a high severity vulnerability.
How to fix CVE-2021-27430?
To fix CVE-2021-27430: GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).
Is CVE-2021-27430 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2021-27430 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2021-27430?
CVE-2021-27430 affects GE UR bootloader binary.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.