OTPulse
FeedAboutContact

GE Vernova CIMPLICITY

Plan Patch7.8ICS-CERT ICSA-25-240-06Aug 28, 2025
Summary

A privilege escalation vulnerability in GE Vernova CIMPLICITY versions 2024, 2023, 2022, and 11.0 allows a low-privileged local attacker to escalate privileges on the affected system. The vulnerability is not remotely exploitable and requires local access to a CIMPLICITY workstation.

What this means
What could happen
A low-privileged local user on a CIMPLICITY system could escalate their privileges to gain higher access, potentially allowing them to modify control logic, process parameters, or disrupt operations.
Who's at risk
Manufacturing plants using GE Vernova CIMPLICITY for supervisory control and monitoring. This affects operators, engineers, and technicians with user accounts on CIMPLICITY workstations, and poses risk to any HMI or engineering workstations that manage process control logic or setpoints.
How it could be exploited
An attacker with local access to a CIMPLICITY workstation or HMI (human-machine interface) computer could exploit a privilege escalation vulnerability to run commands at a higher privilege level. This requires the attacker to already have a user account or local shell access on the system.
Prerequisites
  • Local access to the CIMPLICITY workstation or HMI system
  • Low-privileged user account on the affected system
low complexityrequires local access (not remotely exploitable)affects control system HMI
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
CIMPLICITY: 2024_2023_2022_11.02024 2023 2022 11.02024 SIM 4
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGRestrict physical and remote access to CIMPLICITY workstations to authorized personnel only
WORKAROUNDContact GE Vernova support for mitigation guidance if immediate upgrade to SIM 4 is not feasible
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade CIMPLICITY to version 2024 SIM 4 or later (available in GE support KB article 000071725)
HARDENINGReview and follow the CIMPLICITY Secure Deployment Guide (SDG) from GE Vernova support
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate CIMPLICITY systems from business networks and internet
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/840846d0-ca04-4749-a5d9-a5a037a32387