OTPulse
FeedAboutContact

GE Intelligent Platforms Proficy Cimplicity Multiple Vulnerabilities

Act NowICS-CERT ICSA-13-022-02Oct 26, 2013
Summary

Proficy CIMPLICITY versions 4.01 and later contain multiple vulnerabilities including path traversal (CWE-22) and input validation flaws (CWE-20). These allow an attacker to read arbitrary files from the server or upload malicious files that execute on the system. No patches are currently available from GE Vernova.

What this means
What could happen
An attacker could read arbitrary files from the server or upload malicious files that execute on the SCADA system, potentially disrupting industrial processes or enabling persistent access to critical infrastructure.
Who's at risk
This affects energy utilities and manufacturing facilities using GE Proficy CIMPLICITY as their HMI/SCADA system. Any organization running Proficy HMI/SCADA CIMPLICITY version 4.01 or later, or Proficy Process Systems with CIMPLICITY of any version, is potentially vulnerable.
How it could be exploited
An attacker with network access to CIMPLICITY can exploit path traversal (CWE-22) and input validation (CWE-20) flaws to read sensitive files or upload executable code. The attack requires reaching the HMI/SCADA interface but does not require authentication.
Prerequisites
  • Network access to CIMPLICITY HMI/SCADA interface
  • No authentication required
remotely exploitableno authentication requiredno patch availablehigh EPSS score (13.2%)affects SCADA/HMI systems
Exploitability
High exploit probability (EPSS 13.2%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
Proficy HMI/SCADA – CIMPLICITY: >=4.01≥ 4.01No fix (EOL)
Proficy Process Systems with CIMPLICITY: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation to isolate CIMPLICITY systems from untrusted networks and limit access to engineering workstations only
WORKAROUNDDeploy firewall rules to restrict inbound access to CIMPLICITY ports to known, legitimate sources
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor file system activity on CIMPLICITY servers for unauthorized file reads or uploads
Long-term hardening
0/1
HOTFIXContact GE Vernova for a timeline and availability of security patches, and plan an upgrade or migration strategy
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/99833ed2-609e-4da0-a9fe-40b477e1ab51
GE Intelligent Platforms Proficy Cimplicity Multiple Vulnerabilities - OTPulse