GE CIMPLICITY

Monitor7.8ICS-CERT ICSA-22-326-04Nov 22, 2022

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

GE CIMPLICITY versions from 2022 and earlier contain memory safety vulnerabilities (CWE-824, CWE-122, CWE-822, CWE-787) that could allow arbitrary code execution or crash the application. Exploitation requires local access and user interaction (opening a malicious file or project).

What this means

What could happen

An attacker with local access who tricks an operator into opening a malicious CIMPLICITY project file could execute arbitrary code on the HMI/engineering workstation, potentially disrupting process monitoring or control functions, or crashing the application.

Who's at risk

Energy sector operators using CIMPLICITY (GE Vernova) for HMI/SCADA visualization and engineering workstations. This affects anyone who receives or opens CIMPLICITY project files, including engineering staff and shift operators in power generation and distribution facilities.

How it could be exploited

An attacker crafts a malicious CIMPLICITY project file (.cim or similar) and delivers it via email or file sharing. When an authorized user opens the file in CIMPLICITY, the memory corruption vulnerabilities are triggered, allowing the attacker to execute arbitrary code with the privileges of the CIMPLICITY process.

Prerequisites

Local or physical access to the engineering workstation or HMI running CIMPLICITY
Social engineering: operator must open a malicious project file or attachment
CIMPLICITY version 2022 or earlier installed

Low complexity attackRequires user interaction (file opening)Memory safety vulnerability (CWE-824, CWE-122, CWE-787)No patch available for affected versionsAffects HMI/operator interface on engineering or control workstations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (1)

ProductAffected VersionsFix Status

CIMPLICITY - CIMPLICITY:≤ 2022No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

HARDENINGRestrict file-opening permissions: only authorized engineering staff should be able to open CIMPLICITY project files; operators should not have write access to project directories

HARDENINGEducate operators and engineering staff to not open CIMPLICITY project files from untrusted sources (email, USB drives, file shares)

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGRefer to GE CIMPLICITY Secure Deployment Guide, Section 3.5 (Projects) and Section 4.2 (CimView) for security configuration guidance

WORKAROUNDImplement application whitelisting or code signing verification for CIMPLICITY project files to prevent execution of unsigned or malicious projects

HARDENINGMonitor CIMPLICITY process behavior for unexpected crashes or anomalous activity; establish logging and alerting for project file access

Mitigations - no patch available

0/1

CIMPLICITY - CIMPLICITY: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate engineering workstations and HMI systems from the internet and untrusted networks to reduce the attack vector for malicious file delivery

CVEs (5)

CVE-2022-3084 CVE-2022-2952 CVE-2022-2948 CVE-2022-2002 CVE-2022-3092

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/647a7077-462e-4760-997a-7161535a5155