Critical Vulnerability Information 1. Executive Summary CVSS v3: 9.8 Severity: Remotely exploitable / Low skill level required Vendor: GE Device: MU320E Vulnerabilities: - Hardcoded passwords - Execution with unnecessary privileges - Insufficient encryption strength 2. Risk Assessment Successful exploitation of these vulnerabilities may allow an attacker to escalate unnecessary privileges and gain control of the device using hardcoded credentials. 3. Technical Details 3.2.1 Hardcoded Passwords CWE-259 The software contains hardcoded passwords, which attackers can exploit to gain control over the merging unit. CVE: CVE-2021-27452 CVSS v3: 9.8 CVSS Vector String: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) 3.2.2 Execution with Unnecessary Privileges CWE-250 Communication errors in the file system allow an adversary with file system access to escalate privileges to those of the MU320E. CVE: CVE-2021-27448 CVSS v3: 7.8 CVSS Vector String: (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) 3.2.3 Insufficient Encryption Strength CWE-326 The SSH server configuration file does not implement certain best practices, which may weaken the strength of the SSH protocol and lead to additional misconfigurations or exploitation in larger-scale attacks. CVE: CVE-2021-27450 CVSS v3: 3.8 CVSS Vector String: (AV:L/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:N) 3.3 Background Critical Infrastructure Sector: Multiple Deployment Countries/Regions: Global Company Headquarters Location: United States 3.4 Researcher Tom Westenberg of Thales UK reported these vulnerabilities to GE. 4. Mitigation GE recommends that MU320E users upgrade to firmware version v04A00.1 or higher to mitigate these vulnerabilities. For instructions on how to upgrade the MU320E firmware and verify its installation, refer to the product user manual.