GE Energy Critical Vulnerability Alerts

The US Cybersecurity and Infrastructure Security Agency (CISA) has warned of a critical vulnerability in GE Energy's Power management devices. It made recommendations after the announcement of a vulnerability that could allow an attacker to perform multiple malicious activities on vulnerable systems. The most serious issue at GE Energy, Vulnerability (CVE-2021-27426), was rated 9.8 out of 10 and was shown to be a critical issue.

The products affected by the vulnerability from GE energy's UR devices are B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60. GE has released an update to fix the energy vulnerability.

The attacker who successfully exploits the vulnerabilities affecting the device can be exploited for Insufficient Encryption, session detection, executing an unauthorized command of sensitive information, access sensitive information, device reboot, trigger a denial of service condition, gain privileged access. Loading dangerous files, insecure default variable initialization, use of hard-coded credentials.

All GE energy UR firmware versions prior to 8.1x were found to use weak encryption and MAC algorithms for SSH communication, making them more vulnerable to brute force attacks.

Source: https://us-cert.cisa.gov/ics/advisories/icsa-21-075-02

---