GE UR family

Act NowCVSS 9.8ICS-CERT ICSA-21-075-02Mar 16, 2021

Energy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

GE UR family devices contain multiple critical vulnerabilities affecting firmware versions below 8.1x: unvalidated firmware upload capability allowing attackers to install malicious code, weak SSH implementation in versions 7.4x–8.0x, inadequate Factory Mode protections, web server vulnerabilities, exposure of system register data including keystroke history, and bootloader flaws in versions below 7.03/7.04. Successful exploitation could allow unauthorized access to sensitive information, device reboot/denial-of-service, or privileged command execution that could alter protective relay settings or disable protective functions.

What this means

What could happen

An attacker with network access to a GE UR device could read sensitive data, restart the device causing operational disruption, gain administrative control, or execute commands that alter protective relay settings or trip the system.

Who's at risk

GE UR family protective relays and Intelligent Electronic Devices (IED) used in electric utility substations and generating facilities. Affects all firmware versions below 8.1x, with additional SSH vulnerabilities in versions 7.4x through 8.0x. Critical for any organization operating GE UR devices in SCADA or protective relay systems.

How it could be exploited

An attacker on the same network segment as a vulnerable UR device could upload malicious firmware by bypassing firmware validation checks, gain SSH access due to weak SSH implementation, or access internal system registers through the web server. No authentication is required for these attacks.

Prerequisites

Network access to the UR device (same subnet or routable path)
Device running firmware version below 8.1x for most vulnerabilities
Device with firmware 7.4x to 8.0x for SSH-related issues
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (41%)No patch available for older hardware/bootloader variantsAffects critical protective relay systems

Exploitability

Likely to be exploited — EPSS score 37.8%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (6)

6 pending

ProductAffected VersionsFix Status

Protection from unintended firmware upload: all< 8.1xNo fix yet

Vulnerabilities related to SSH Support: firmware≥ 7.4x | ≤ 8.0xNo fix yet

Provisions to disable Factory Mode: all< 8.1xNo fix yet

Web server vulnerabilities: all< 8.1xNo fix yet

Access to Last-key pressed register: all< 8.1xNo fix yet

Weakness in UR bootloader binary: all bootloader< 7.03 /7.04No fix yet

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGImplement network segmentation so UR devices are not directly reachable from the Internet or untrusted networks

WORKAROUNDIf remote access is required, use a VPN with current security patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade UR firmware to version 8.10 or later

Long-term hardening

0/3

HARDENINGPlace UR IED devices behind a firewall and inside the control network security perimeter, isolated from business network

HARDENINGDeploy an Intrusion Detection System (IDS) to monitor UR device traffic for suspicious activity

HARDENINGReview UR Deployment guide for secure configuration best practices

CVEs (9)

CVE-2016-2183 CVE-1999-1085 CVE-2021-27422 CVE-2021-27418 CVE-2021-27420 CVE-2021-27428 CVE-2021-27426 CVE-2021-27424 CVE-2021-27430

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e939d3f8-fb33-4187-9512-3147d8ccaedf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.