OTPulse

GE Vernova CIMPLICITY

Plan PatchCVSS 7.8ICS-CERT ICSA-25-240-06Aug 28, 2025
GE VernovaManufacturing
Summary

GE Vernova CIMPLICITY versions 2022, 2023, and 2024 through 11.0 contain a privilege escalation vulnerability (CWE-427) that allows a low-privileged local attacker to escalate to higher privilege levels. This vulnerability is exploitable only via local access and is not remotely accessible. The vendor has released CIMPLICITY 2024 SIM 4 as a fix.

What this means
What could happen
A low-privileged local user on a CIMPLICITY system could escalate privileges to gain higher-level access, potentially enabling unauthorized control of manufacturing processes or modifications to system configurations.
Who's at risk
Manufacturing organizations using GE Vernova CIMPLICITY for supervisory control and HMI should prioritize this update. Risk is highest for facilities where standard user accounts have interactive access to CIMPLICITY systems.
How it could be exploited
An attacker with low-privileged local access (such as a standard user account) to a CIMPLICITY workstation or server could exploit a privilege escalation vulnerability to gain administrative or system-level control. This requires the attacker to already have local command-line or application access to the affected machine.
Prerequisites
  • Local access to a CIMPLICITY system (interactive or remote desktop session)
  • Low-privileged user account on the affected system
  • Ability to execute code or commands on the system
local exploitation only (not remotely exploitable)requires low-privileged user accountaffects manufacturing control systemsno public exploits known yetvendor patch available
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (1)
ProductAffected VersionsFix Status
CIMPLICITY: 2024_2023_2022_11.02024 2023 2022 11.02024 SIM 4
Remediation & Mitigation
0/4
Do now
0/1
HARDENINGRestrict local access to CIMPLICITY systems using operating system access controls and account privileges
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CIMPLICITY to version 2024 SIM 4 or later
Long-term hardening
0/2
HARDENINGReview and implement the CIMPLICITY Secure Deployment Guide recommendations
HARDENINGIsolate CIMPLICITY networks from business networks using firewalls and network segmentation
View full CISA ICS-CERT advisory
API: /api/v1/advisories/840846d0-ca04-4749-a5d9-a5a037a32387

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

GE Vernova CIMPLICITY | CVSS 7.8 - OTPulse