GE MultiLink Series Hard-coded Credential Vulnerability
Act Now10ICS-CERT ICSA-16-154-01Mar 6, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
GE MultiLink series switches (ML800, ML810, ML1200, ML1600, ML2400, ML3000, ML3100) contain hard-coded credentials in firmware versions below 5.5.0 (and 5.5.0k for ML810, ML3000, ML3100). An unauthenticated attacker with network access to the switch management interface can authenticate using these embedded credentials and gain full administrative control. The vendor has not released a patched firmware version; these are legacy devices and no fix is planned.
What this means
What could happen
An attacker with network access to a GE MultiLink switch can log in without valid credentials using hard-coded accounts, gaining full control to modify device configuration, disrupt network connectivity for critical systems, or intercept traffic.
Who's at risk
Water authorities and electric utilities operating GE MultiLink Ethernet switches in SCADA networks, control system LANs, and data acquisition systems. The switches provide network connectivity for remote terminal units (RTUs), programmable logic controllers (PLCs), and HMI systems. Any facility using these switches for critical process communication is affected.
How it could be exploited
An attacker sends a network connection to the management interface of the GE MultiLink switch (Ethernet, likely port 22 SSH or web interface) and authenticates using hard-coded credentials embedded in the device firmware. Once authenticated, the attacker has administrative access to reconfigure the switch, change routing rules, or shut down ports serving critical OT devices.
Prerequisites
- Network access to the management interface of the switch (SSH, telnet, or web interface)
- Knowledge of the hard-coded credential values embedded in the firmware
- Device running affected firmware version
Remotely exploitableNo authentication required (hard-coded credentials)Low complexity attackNo patch availableCVSS score 10 (critical)Affects network infrastructure serving safety and control systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (7)
7 EOL
ProductAffected VersionsFix Status
GE ML800 Switch: <firmware_5.5.0<firmware 5.5.0No fix (EOL)
GE ML810 Switch: <firmware_5.5.0k<firmware 5.5.0kNo fix (EOL)
GE ML1200 Switch: <firmware_5.5.0<firmware 5.5.0No fix (EOL)
GE ML1600 Switch: <firmware_5.5.0<firmware 5.5.0No fix (EOL)
GE ML2400 Switch: <firmware_5.5.0<firmware 5.5.0No fix (EOL)
GE ML3000 Switch: <firmware_5.5.0k<firmware 5.5.0kNo fix (EOL)
GE ML3100 Switch: <firmware_5.5.0k<firmware 5.5.0kNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDRestrict network access to the management interface of GE MultiLink switches using firewall rules—allow only connections from authorized engineering workstations and block external/untrusted sources.
HARDENINGChange any default or hard-coded account passwords if the device allows manual credential updates; document new credentials in a secure password manager.
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGDisable remote management access (SSH, telnet, web interface) if not required for operations; manage the switch only from a directly connected console.
HARDENINGMonitor switch management interface logs for unauthorized login attempts and unexpected configuration changes.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: GE ML800 Switch: <firmware_5.5.0, GE ML810 Switch: <firmware_5.5.0k, GE ML1200 Switch: <firmware_5.5.0, GE ML1600 Switch: <firmware_5.5.0, GE ML2400 Switch: <firmware_5.5.0, GE ML3000 Switch: <firmware_5.5.0k, GE ML3100 Switch: <firmware_5.5.0k. Apply the following compensating controls:
HARDENINGSegment the switch onto a protected management network (VLAN) separate from critical process networks to limit lateral movement if an account is compromised.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8403b3d9-2d6f-42b0-85ce-486e9f616189