There are multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the General Electric (GE) D20ME, part of the GE D20Substation Controller product, according to a report from ICS-CERT.
The vulnerability is exploitable by utilizing TFTP connections to the controller, according to security researcher Reid Wightman, who revealed the vulnerability at the S4 conference this week.
ICS-CERT has notified GE of the report and has asked GE to confirm the vulnerability and identify mitigations.
ICS-CERT issued the alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks.
The report included vulnerability details and PoC exploit code for the following vulnerabilities that are remotely exploitable: Data leakage that could lead to a leakage of authentication credentials and arbitrary code execution where an attacker could execute arbitrary commands and denial of service.
ICS-CERT is currently coordinating with GE and the researcher to identify mitigations.