Login Sign Up

CVE-2021-27426

9.8 CRITICAL
Authentication Bypass

📋 TL;DR

GE UR IED firmware versions prior to 8.1x with 'Basic' security variant have a factory mode that cannot be disabled, allowing unauthorized access. This affects industrial control systems using these devices, potentially enabling attackers to modify configurations or disrupt operations.

💻 Affected Systems

Products:
  • GE UR IED (Intelligent Electronic Device)
Versions: All versions prior to 8.1x
Operating Systems: Embedded firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with 'Basic' security variant; 'Enhanced' security variant is not vulnerable.

📦 What is this software?

Multilin B30 Firmware by Ge

View all CVEs affecting Multilin B30 Firmware →

Multilin B90 Firmware by Ge

View all CVEs affecting Multilin B90 Firmware →

Multilin C30 Firmware by Ge

View all CVEs affecting Multilin C30 Firmware →

Multilin C60 Firmware by Ge

View all CVEs affecting Multilin C60 Firmware →

Multilin C70 Firmware by Ge

View all CVEs affecting Multilin C70 Firmware →

Multilin C95 Firmware by Ge

View all CVEs affecting Multilin C95 Firmware →

Multilin D30 Firmware by Ge

View all CVEs affecting Multilin D30 Firmware →

Multilin D60 Firmware by Ge

View all CVEs affecting Multilin D60 Firmware →

Multilin F35 Firmware by Ge

View all CVEs affecting Multilin F35 Firmware →

Multilin F60 Firmware by Ge

View all CVEs affecting Multilin F60 Firmware →

Multilin G30 Firmware by Ge

View all CVEs affecting Multilin G30 Firmware →

Multilin G60 Firmware by Ge

View all CVEs affecting Multilin G60 Firmware →

Multilin L30 Firmware by Ge

View all CVEs affecting Multilin L30 Firmware →

Multilin L60 Firmware by Ge

View all CVEs affecting Multilin L60 Firmware →

Multilin L90 Firmware by Ge

View all CVEs affecting Multilin L90 Firmware →

Multilin M60 Firmware by Ge

View all CVEs affecting Multilin M60 Firmware →

Multilin N60 Firmware by Ge

View all CVEs affecting Multilin N60 Firmware →

Multilin T35 Firmware by Ge

View all CVEs affecting Multilin T35 Firmware →

Multilin T60 Firmware by Ge

View all CVEs affecting Multilin T60 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control system allowing unauthorized configuration changes, operational disruption, or safety system manipulation.

🟠

Likely Case

Unauthorized access to device configuration leading to operational changes or data exfiltration.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing exploitation.

🌐 Internet-Facing: HIGH if devices are directly internet-accessible due to critical vulnerability with high CVSS score.
🏢 Internal Only: HIGH due to potential for lateral movement within industrial networks.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires network access to the device but leverages a built-in factory mode feature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.1x or later

Vendor Advisory: https://www.gegridsolutions.com/Passport/Login.aspx

Restart Required: Yes

Instructions:

1. Download firmware version 8.1x or later from GE Grid Solutions portal. 2. Follow GE's firmware update procedures for UR IED devices. 3. Verify successful update and factory mode status.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate UR IED devices in dedicated industrial network segments with strict firewall rules.

Access Control Lists

all

Implement strict network access controls to limit communication to authorized systems only.

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to isolate affected devices
  • Monitor network traffic for unauthorized access attempts to factory mode features

🔍 How to Verify

Check if Vulnerable:

Check firmware version in device configuration interface; if below 8.1x with Basic security variant, device is vulnerable.

Check Version:

Check via device configuration interface or management software; no universal CLI command available.

Verify Fix Applied:

Confirm firmware version is 8.1x or later and factory mode is properly disabled in configuration.

📡 Detection & Monitoring

Log Indicators:

  • Unauthorized access attempts to factory mode
  • Configuration changes from unexpected sources

Network Indicators:

  • Unexpected traffic to UR IED management ports
  • Factory mode protocol usage

SIEM Query:

source_ip:industrial_network AND dest_port:management_port AND action:configuration_change

📊 Metadata

CVE ID: CVE-2021-27426
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-453
Published: March 23, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-27426, you might also want to check these:

CVE-2025-47945 9.1

CVE-2025-47945 is a critical authentication bypass vulnerability in Donetick task management softwar...

Same vulnerability type (CWE-453)
CVE-2024-21411 8.8

CVE-2024-21411 is a remote code execution vulnerability in Skype for Consumer that allows attackers ...

Same vulnerability type (CWE-453)
CVE-2024-49120 8.1

This vulnerability allows remote attackers to execute arbitrary code on Windows systems with Remote ...

Same vulnerability type (CWE-453)