GE MiCOM S1 Agile
Monitor5.3ICS-CERT ICSA-23-311-01Nov 7, 2023
Attack VectorLocal
Auth RequiredHigh
ComplexityLow
User InteractionRequired
Summary
GE MiCOM S1 Agile protective relays contain a file upload vulnerability (CWE-427) that could allow an attacker with local access to upload malicious files and achieve code execution on the device. Successful exploitation could alter protection logic or disable relay functions. General Electric has released an update to resolve this issue.
What this means
What could happen
An attacker with local access to a MiCOM S1 Agile device could upload and run malicious code, potentially altering protection logic, control settings, or disabling the relay outright.
Who's at risk
Power system operators and utilities managing GE MiCOM S1 Agile protective relays used in electrical substations and distribution systems. These devices control critical protection and switching logic.
How it could be exploited
An attacker would need to gain local physical or console access to the device, then use a file upload mechanism to inject malicious code that executes with device privileges. This could modify relay behavior or disable critical protection functions.
Prerequisites
- Local physical or console access to the MiCOM S1 Agile device
- Ability to interact with the device file upload interface
- No credentials mentioned as required; local access may bypass authentication
requires local access (not remotely exploitable)affects safety/protective systemsall versions vulnerable until patched
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
MiCOM S1 Agile: vers:all/*All versionsFix available
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXApply the update released by General Electric for MiCOM S1 Agile to resolve the file upload vulnerability
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6e9d6087-655c-466a-a8e6-2d532ec95e72