GE Digital CIMPLICITY

MonitorCVSS 6.6ICS-CERT ICSA-23-199-06Jul 18, 2023

GE Vernova

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

GE CIMPLICITY contains a memory corruption vulnerability (CWE-122) that could allow code execution if an authenticated local user opens a specially crafted document. The vulnerability affects all versions of CIMPLICITY. It is not exploitable remotely and requires the user to have valid credentials and local access to the affected system, then be socially engineered into opening a malicious file. No public exploits exist, and GE has not released a vendor fix; mitigation relies on user training, access controls, and secure deployment practices.

What this means

What could happen

An authenticated local user who opens a malicious document could trigger memory corruption in CIMPLICITY, potentially allowing code execution on the HMI system and affecting real-time monitoring and control of industrial processes.

Who's at risk

Operators and engineers at water utilities, electric utilities, and other critical infrastructure facilities using GE CIMPLICITY HMI/SCADA systems for real-time process monitoring and control. This includes any facility relying on CIMPLICITY for alarm management, data logging, or operator interface functions.

How it could be exploited

An attacker must first obtain valid credentials and local access to a CIMPLICITY workstation, then distribute a specially crafted document (likely a project file or configuration file compatible with CIMPLICITY). When an authorized user opens this malicious document, the memory corruption vulnerability is triggered, potentially leading to arbitrary code execution with the privileges of that user.

Prerequisites

Valid local user credentials on the CIMPLICITY workstation
Physical or remote desktop access to the CIMPLICITY system
Social engineering or phishing to convince an authorized user to open a malicious document
The target user must actually open/execute the malicious file

Memory corruption vulnerabilityPotential code execution on HMI systemRequires user interaction to exploitNo patch available from vendorAffects all versions of CIMPLICITY

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (1)

ProductAffected VersionsFix Status

CIMPLICITY: *All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGFollow GE Digital's Secure Deployment Guide (SDG) instructions for CIMPLICITY systems, emphasizing user security training to avoid opening documents from untrusted sources

HARDENINGImplement strong access management and limit local user accounts on CIMPLICITY workstations to only those who require access

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGRestrict user privileges on CIMPLICITY systems to the minimum required for their role

HARDENINGMonitor CIMPLICITY systems for unusual behavior or crashes that may indicate exploitation attempts

HOTFIXContact your local GE Digital representative to inquire about available updates or patches as they become available

CVEs (1)

CVE-2023-3463

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/59398892-4be8-4433-9c6f-963c5ab7d964

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.