GE Reason DR60

Act Now9.8ICS-CERT ICSA-21-082-03Mar 23, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The DR60 digital fault recorder contains multiple vulnerabilities that allow remote code execution and privilege escalation. CWE-259 (hardcoded credentials or secrets), CWE-94 (code injection), and CWE-250 (improper privilege handling) enable an attacker on the network to execute arbitrary commands and take full control of the device without authentication. This affects all DR60 devices running firmware versions prior to 02A04.1.

What this means

What could happen

An attacker could remotely execute code on the DR60 digital fault recorder and gain full administrative control, potentially allowing them to manipulate power system data, disable the device, or compromise the integrity of fault records critical to grid operations.

Who's at risk

Electric utilities operating GE DR60 digital fault recorders used for power system fault recording and analysis. This affects protection and control infrastructure relied upon for grid stability and incident investigation.

How it could be exploited

An attacker on the network could send a specially crafted request to the DR60 without authentication. The device would execute the attacker's code due to improper input validation and insufficient privilege controls, giving the attacker full control of the fault recorder.

Prerequisites

Network access to the DR60 device (port/protocol not specified in advisory)
No authentication required
Device running firmware version prior to 02A04.1

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects critical energy infrastructureinvolves code executiondefault or no security model on fault recorders

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

DR60: all< 02A04.102A04.1

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGPlace DR60 devices inside the control system network security perimeter with restricted access

HARDENINGImplement network access controls to limit which systems can reach the DR60

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade DR60 firmware to version 02A04.1 or higher

HARDENINGDeploy intrusion detection system (IDS) monitoring for DR60 traffic

Long-term hardening

0/1

HARDENINGReview and align DR60 deployment with NERC-CIP cybersecurity requirements

CVEs (3)

CVE-2021-27440 CVE-2021-27438 CVE-2021-27454

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96bca48d-ed68-4b9c-b431-7dc5e1133aa1