OTPulse
FeedAboutContact

GE Digital CIMPLICITY

Plan Patch7.8ICS-CERT ICSA-23-243-02Aug 31, 2023
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary

A privilege escalation vulnerability in GE Digital CIMPLICITY v2023 allows a low-privileged local user to escalate to SYSTEM level access on the workstation running the software. This could allow an insider or attacker with local access to modify control configurations, HMI displays, alarms, or process logic. The vulnerability is not remotely exploitable and requires prior login access to the CIMPLICITY system.

What this means
What could happen
A local user with low privileges on the CIMPLICITY workstation could escalate to SYSTEM level access, allowing them to modify process configurations, disable alarms, or alter control logic.
Who's at risk
Engineering teams and operators using GE CIMPLICITY v2023 HMI/SCADA software on Windows workstations to monitor and control process systems. This affects facilities in water, electric, manufacturing, and other critical infrastructure sectors where CIMPLICITY is deployed as the engineering or operations console.
How it could be exploited
An attacker with local login access to a CIMPLICITY v2023 workstation exploits a privilege escalation flaw to run arbitrary commands as SYSTEM. This requires physical or remote desktop access to the engineering workstation itself.
Prerequisites
  • Local login credentials to the CIMPLICITY workstation
  • CIMPLICITY v2023 (prior to SIM 1 update) installed and running
  • User account with standard (non-administrator) privileges
Local access requiredLow complexity attackAffects engineering workstationsHigh impact on process control if compromised
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
CIMPLICITY: v2023v2023v2023 SIM 1
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGRestrict local login access to CIMPLICITY workstations to authorized engineering staff only; enforce strong password policies and disable or remove unnecessary local accounts
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CIMPLICITY from v2023 to v2023 SIM 1 (requires GE login to access patch)
HARDENINGIsolate CIMPLICITY engineering workstations on a separate network segment from business networks and the Internet; restrict RDP or remote access to this network to secure VPN connections only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/d0430606-dc0e-4c8d-a350-c4a1f3c22b19
GE Digital CIMPLICITY | CVSS 7.8 - OTPulse