OTPulse
FeedAboutContact

GE Digital CIMPLICITY

Monitor6.6ICS-CERT ICSA-23-199-06Jul 18, 2023
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

GE CIMPLICITY contains a memory corruption vulnerability (CWE-122) that could allow code execution if an authenticated local user opens a specially crafted document. The vulnerability affects all versions of CIMPLICITY. It is not exploitable remotely and requires the user to have valid credentials and local access to the affected system, then be socially engineered into opening a malicious file. No public exploits exist, and GE has not released a vendor fix; mitigation relies on user training, access controls, and secure deployment practices.

What this means
What could happen
An authenticated local user who opens a malicious document could trigger memory corruption in CIMPLICITY, potentially allowing code execution on the HMI system and affecting real-time monitoring and control of industrial processes.
Who's at risk
Operators and engineers at water utilities, electric utilities, and other critical infrastructure facilities using GE CIMPLICITY HMI/SCADA systems for real-time process monitoring and control. This includes any facility relying on CIMPLICITY for alarm management, data logging, or operator interface functions.
How it could be exploited
An attacker must first obtain valid credentials and local access to a CIMPLICITY workstation, then distribute a specially crafted document (likely a project file or configuration file compatible with CIMPLICITY). When an authorized user opens this malicious document, the memory corruption vulnerability is triggered, potentially leading to arbitrary code execution with the privileges of that user.
Prerequisites
  • Valid local user credentials on the CIMPLICITY workstation
  • Physical or remote desktop access to the CIMPLICITY system
  • Social engineering or phishing to convince an authorized user to open a malicious document
  • The target user must actually open/execute the malicious file
Memory corruption vulnerabilityPotential code execution on HMI systemRequires user interaction to exploitNo patch available from vendorAffects all versions of CIMPLICITY
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CIMPLICITY: *All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGFollow GE Digital's Secure Deployment Guide (SDG) instructions for CIMPLICITY systems, emphasizing user security training to avoid opening documents from untrusted sources
HARDENINGImplement strong access management and limit local user accounts on CIMPLICITY workstations to only those who require access
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGRestrict user privileges on CIMPLICITY systems to the minimum required for their role
HARDENINGMonitor CIMPLICITY systems for unusual behavior or crashes that may indicate exploitation attempts
HOTFIXContact your local GE Digital representative to inquire about available updates or patches as they become available
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/59398892-4be8-4433-9c6f-963c5ab7d964
GE Digital CIMPLICITY | CVSS 6.6 - OTPulse