Vulnerability Note VU#707254

UTC Fire & Security Master Clock contains hardcoded default administrator login credentials

Original Release date: 20 Feb 2012 | Last revised: 23 Jul 2012


UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock have default administrator login credentials that can not be modified by an administrator.


UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock via Zigbee can sync up to 60,000 slave clocks located throughout a campus-area network. An administrator will typically log into the device by supplying credentials to a web-interface. These devices contain a consistent, hardcoded administrative username and password that cannot be changed by the administrator.


A remote, unauthenticated attacker can view and change system configuration files or other sensitive data.


We are currently unaware of a practical solution to this problem.

Restrict Access
Do not allow access to the web interface of the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock from untrusted networks.

Block Access to the Web Interface
Blocking access to port 80/tcp will prevent any user, even authorized administrators, from logging into the web-interface, but will not interfere with the UTC Fire & Security GE-MC100-NTP/GPS-ZB Master Clock slave clock syncing.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
General ElectricAffected09 Jan 201206 Feb 2012
UTC Fire & SecurityAffected12 Jan 201206 Feb 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base 5.3 AV:N/AC:/Au:N/C:C/I:C/A:C
Temporal 5.0 E:H/RL:W/RC:C
Environmental 1.3 CDP:/TD:L/CR:ND/IR:ND/AR:ND



Thanks to Temple Murphy for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

  • CVE IDs: CVE-2012-1288
  • Date Public: 20 Feb 2012
  • Date First Published: 20 Feb 2012
  • Date Last Updated: 23 Jul 2012
  • Severity Metric: 34.20
  • Document Revision: 24


If you have feedback, comments, or additional information about this vulnerability, please send us email.