#VU51529 Insecure Default Variable Initialization in GE products - CVE-2021-27426
Published: March 17, 2021 / Updated: March 17, 2021
Vulnerability identifier: #VU51529
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-27426
CWE-ID: CWE-453
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
B30
C30
C60
C70
C95
D30
D60
F35
F60
G30
G60
L30
L60
L90
M60
N60
T35
T60
B30
C30
C60
C70
C95
D30
D60
F35
F60
G30
G60
L30
L60
L90
M60
N60
T35
T60
Software vendor:
GE
GE
Description
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to the UR IED with “Basic” security variant does not allow the disabling of the “Factory Mode", which is used for servicing the IED by a “Factory” user. A remote attacker who can execute arbitrary code on the system.
Note: This vulnerability affects the following versions of Provisions to disable Factory Mode:
- all firmware versions prior to 8.1x with basic security option
Remediation
Install updates from vendor's website.