OTPulse
FeedAboutContact

GE Proficy CIMPLICITY-IPM

Monitor7.5ICS-CERT ICSA-22-053-01Feb 22, 2022
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionRequired
Summary

GE Proficy CIMPLICITY versions 11.1 and earlier contain an improper access control vulnerability (CWE-269) that could allow a local attacker with low privileges to escalate to higher privileges and achieve code execution through user interaction. Successful exploitation could result in arbitrary code execution on the workstation. The vulnerability is not remotely exploitable and has high attack complexity. No known public exploits exist.

What this means
What could happen
An attacker with local access to a CIMPLICITY workstation could run arbitrary code with elevated privileges, potentially altering HMI logic, process setpoints, or operator screens in energy generation or distribution control systems.
Who's at risk
Energy sector operators using GE Proficy CIMPLICITY for HMI, SCADA visualization, or engineering workstations should evaluate this risk. This affects organizations running version 11.1 or earlier on workstations where untrusted users may have local access.
How it could be exploited
An attacker with local access to a CIMPLICITY workstation could exploit an improper access control issue to escalate privileges and achieve code execution. This requires interactive user action and involves high complexity; it is not exploitable remotely.
Prerequisites
  • Local access to a CIMPLICITY workstation
  • Low-privilege user account on the workstation
  • User interaction (e.g., opening a malicious file or project)
  • CIMPLICITY version 11.1 or earlier
Local attack vector onlyHigh attack complexityRequires user interactionLow privilege escalation impact on operations
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
Proficy CIMPLICITIY: v11.1 and prior versions≤ 11.1No fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGApply access controls per the CIMPLICITY Secure Deployment Guide to restrict file and directory access to authorized personnel only
HARDENINGRestrict which CIMPLICITY projects are allowed to run on each machine per the Secure Deployment Guide
HARDENINGEnsure all CIMPLICITY machines and directories have properly configured access control limits to minimize unauthorized access
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade Proficy CIMPLICITY to the January 2022 release or later
Long-term hardening
0/1
HARDENINGIsolate CIMPLICITY workstations and engineering networks behind firewalls from the business network and Internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/10e87892-eabb-4e9d-b7f0-ec02841b8921