Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

CISA is warning of vulnerabilities in GE Power Management Devices

U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of flaws in GE Power Management Devices that could allow an attacker to conduct multiple malicious activities on vulnerable systems. U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of vulnerabilities in GE Power Management Devices that could be exploited by an attacker to conduct multiple malicious activities […]

CISA BlueHammer (CVE-2026-33825)

U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of flaws in GE Power Management Devices that could allow an attacker to conduct multiple malicious activities on vulnerable systems.

U.S. Cybersecurity & Infrastructure Security Agency (CISA) warns of vulnerabilities in GE Power Management Devices that could be exploited by an attacker to conduct multiple malicious activities on systems belonging to the Universal Relay (UR) family.

The flaws could be exploited to access sensitive information, reboot the device, trigger a denial-of-service condition, and gain privileged access.

The types of vulnerabilities affecting the devices are Inadequate Encryption Strength, Session Fixation, Exposure of Sensitive Information to an Unauthorized Actor, Improper Input Validation, Unrestricted Upload of File with Dangerous Type, Insecure Default Variable Initialization, Use of Hard-coded Credentials.

“Successful exploitation of these vulnerabilities could allow an attacker to access sensitive information, reboot the UR, gain privileged access, or cause a denial-of-service condition.” reads the alert published by CISA.

GE’s UR devices are used to control and protect the power consumption of various devices. Affected UR families are B30, B90, C30, C60, C70, C95, D30, D60, F35, F60, G30, G60, L30, L60, L90, M60, N60, T35, T60. The vendor released security updates for all these devices and urges customers to update their installs, it also released mitigations to address the flaws.

“GE strongly recommends users with impacted firmware versions update their UR devices to UR firmware Version 8.10, or greater to resolve these vulnerabilities. GE provides additional mitigations and information about these vulnerabilities in GE Publication Number: GES-2021-004 (login required).” continues the alert.

The most severe issue addressed by the vendor is a critical “INSECURE DEFAULT VARIABLE INITIALIZATION” issue tracked as CVE-2021-27426 and rated with a CVSS score of 9.8 out of 10.

“UR IED with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user.” reads the advisory for this flaw.

The vulnerability could be exploited by a remote attacker to bypass security restrictions.

“GE UR family could allow a remote attacker to bypass security restrictions, caused by insecure default variable initialization in UR IED. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions.” reads the advisory published by IBM X-Force.

Another high-severity issue addressed by the vendor is related to the “USE OF HARD-CODED CREDENTIALS tracked as CVE-2021-27430 that received a CVSS score of 8.4.

“UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.” continues the advisory.

GE also addressed a high-severity issue, an EXPOSURE OF SENSITIVE INFORMATION TO AN UNAUTHORIZED ACTOR, tracked as CVE-2021-27422 and rated with a CVSS v3 base score of 7.5.

“Web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication.” continues the alert.

GE recommends the implementation of network defense-in-depth practices to protect UR IED, including placing UR IED inside the control system network security perimeter, and having access controls, monitoring (such as an Intrusion Detection System), and other mitigating technologies in place. 

“CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.” states CISA. “Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CISA)

[adrotate banner=”5″]

[adrotate banner=”13″]