Security Experts:

Connect with us

Hi, what are you looking for?



GE SCADA Product Vulnerabilities Show Importance of Secure Configurations

GE Digital has released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software, which is used by plants around the world to monitor and control operations.

GE Digital has released patches and mitigations for two high-severity vulnerabilities affecting its Proficy CIMPLICITY HMI/SCADA software, which is used by plants around the world to monitor and control operations.

The flaws were found by industrial cybersecurity firm OTORIO, which this week published a brief blog post describing the issues. GE and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have released separate advisories for each of the vulnerabilities.GE patches vulnerabilities in Proficy CIMPLICITY SCADA software

One of the security holes, tracked as CVE-2022-23921, can be exploited for privilege escalation and remote code execution. However, successful exploitation requires access to the device running Proficy CIMPLICITY and the targeted server must not be running a project and it must be licensed for multiple projects. GE has released an update that should patch this vulnerability.

“CVE-2022-23921 may allow an attacker with a limited access to the CIMPLICITY server to escalate privileges by dropping a malicious file within the CIMPLICITY runtime project,” Matan Dobrushin, VP of research at OTORIO, told SecurityWeek.

The second issue, identified as CVE-2022-21798, is related to the transmission of credentials in clear text. An attacker who can capture the credentials through a man-in-the-middle (MitM) attack can use them to authenticate to the HMI and obtain information about alerts and other parts of the system. GE said an attacker — in some cases — may also be able to change values in the system.

Learn More About Vulnerabilities in Industrial Products at SecurityWeek’s ICS Cyber Security Conference

“Given CIMPLICITY’s central role in OT environments, the two vulnerabilities introduce a huge disruptive impact potential on this operational server. We can assume that if and when attackers establish a foothold in the network, CIMPLICITY will be on top of their list,” OTORIO warned in its blog post.

GE said users can prevent exploitation of CVE-2022-21798 by enabling encrypted communications. In fact, OTORIO noted that both vulnerabilities can be mitigated if the server has a secure configuration. The company noted, however, that this is often not the case.

[ READ: Here’s How Flaws in GE Relays Could Be Exploited in Real World Attacks ]

This is not the first time OTORIO has looked into the security of GE CIMPLICITY. The company last year released an open source hardening tool designed to help organizations secure their GE CIMPLICITY systems. GE has also advised customers to use the OTORIO tool.

It’s important that industrial organizations do not ignore these types of vulnerabilities. CIMPLICITY products have been targeted as part of sophisticated attacks linked to state-sponsored threat actors.

Related: InHand Router Flaws Could Expose Many Industrial Companies to Remote Attacks

Related: Over 100 GE Healthcare Devices Affected by Critical Vulnerability

Related: Profinet Vulnerability Exposes Siemens, Moxa Devices to DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.