New research reveals a 15-year authentication gap in GE Vernova's most widely deployed protection relay platform — and the power grid standards that made it possible.
In February 2026 I downloaded firmware directly from GE Vernova's public website, extracted it on my computer, and found that the latest version of their Universal Relay platform — the device that protects circuit breakers in substations around the world — will accept remote control commands from anyone with network access. No username. No password. No cryptographic credential of any kind.
The firmware is version 8.70, released November 2024. The vulnerability has been present since at least version 5.49, which dates to around 2009. Fifteen years. Five firmware versions. The same gap, never closed.
I submitted this research to CISA in February. They declined to formally coordinate the disclosure, determining that the absence of authentication is a standards-level issue rather than a specific exploitable defect under their coordination framework. With that process complete, I am publishing this research publicly today. You can read the full technical white paper at vulnhunterai.com.
What These Devices Do
GE Universal Relays are protection relays — specialized computers installed in electrical substations that monitor the power grid and respond to fault conditions. When a transmission line shorts out or a transformer fails, the relay detects the problem in milliseconds and sends a command to trip the circuit breaker, disconnecting the damaged equipment before it causes further harm.
They are safety devices. Their job is to prevent fires, equipment destruction, and cascading blackouts.
The GE Universal Relay platform covers 19 product lines protecting buses, transformers, transmission lines, generators, motors, and feeders. These devices are installed in substations operated by electric utilities across Europe, Asia, Latin America, and North America.
The Protocol and the Gap
The vulnerability exists in the device's implementation of IEC 60870-5-104, an international standard that defines how SCADA control systems communicate with substation equipment over a network. In Europe and most international markets, IEC 104 is the dominant protocol for this purpose — the standard language spoken between a utility's control room and its substations.
The security extension for this protocol is called IEC 62351-5. It defines how to wrap IEC 104 communications in TLS encryption and require certificate-based authentication before any commands are accepted. It has existed since 2007.
GE's firmware contains a full TLS stack. It contains X.509 certificate handling. It implements other parts of the IEC 62351 security standard family. But IEC 62351-5 — the part that would secure IEC 104 — is absent. The secured communication port (19998) does not appear anywhere across five firmware versions spanning fifteen years. Only the unsecured port (2404) is implemented.
The firmware also contains explicit strings indicating designed non-authenticated operational modes: No_Auth, set-noauth-flag, and French-language variants suggesting these modes were inherited from an original protocol implementation and carried forward across every subsequent version.
This is not a bug that slipped through. It is an architectural decision made when the platform was designed and maintained through every update since.
What an Attacker Can Do
An attacker who gains network access to port 2404 on a GE Universal Relay can:
Connect to the device with no authentication challenge
Send a command to trip or close any circuit breaker the relay controls
Do this using publicly available open-source software that implements the IEC 104 protocol
Leave no authentication trail, because there is no authentication to log
The attack does not require custom malware, specialized hardware, or deep technical expertise. It requires knowing the protocol — which is a published international standard — and having a network path to the device.
The most realistic attack paths are a compromised engineering workstation inside the substation network, a vendor remote access connection, or a breach of the corporate network that reaches the operational technology segment.
The Deeper Problem
The root cause is not GE specifically. It is that IEC 62351-5 has been designated as optional since its publication. Optional security for critical infrastructure protocols produces predictable results: global adoption is estimated below five percent despite nearly two decades of availability.
Vendors implementing IEC 104 can achieve full standards compliance while shipping devices with no authentication. Utilities deploying those devices have no standards-based mechanism to demand otherwise. Regulators in North America and Europe have not yet mandated IEC 62351 compliance. The result is what you see here — a fifteen-year-old gap that nobody was required to close.
What Needs to Happen
GE Vernova should publish a formal security advisory and provide a firmware roadmap for IEC 62351-5 implementation. Utility operators should immediately isolate IEC 104 traffic to dedicated network segments with strict access controls and deploy monitoring for anomalous commands on port 2404. Standards bodies should make IEC 62351-5 mandatory. Regulators should update NERC CIP and NIS2 guidance to require authenticated SCADA protocols.
The full technical white paper — including static analysis evidence, affected product list, CVSS scoring, attack scenario walkthrough, and detailed mitigation guidance — is available at vulnhunterai.com.
Ryan Sharpnack is an independent ICS security researcher and founder of VulnHunter AI. He conducts static firmware analysis of publicly available industrial control system software to identify security gaps in critical infrastructure protocols. He can be reached at [email protected].