Connect with us

Hi, what are you looking for?



Recently Patched GE Cimplicity Vulnerabilities Reminiscent of Russian ICS Attacks

Over a dozen vulnerabilities patched by GE in its Cimplicity HMI/SCADA product are reminiscent of ICS attacks conducted by the Russian Sandworm group.

Over a dozen vulnerabilities patched recently by GE in its Cimplicity product are reminiscent of industrial control system (ICS) attacks conducted by a notorious Russian hacker group.

The US Cybersecurity and Infrastructure Security Agency (CISA) on Tuesday published an advisory to inform users about vulnerabilities found in GE’s Cimplicity human-machine interface (HMI) and supervisory control and data acquisition (SCADA) product, which is used by major organizations worldwide, including in critical infrastructure sectors.

The CISA advisory describes CVE-2023-3463, which has been assigned to a series of flaws that can be exploited for arbitrary code execution. 

GE has released a patch and noted, “Exploit is only possible if an authenticated user with local access to the system obtains and opens a document from a malicious source so secure deployment and strong access management by users is essential.”

Michael Heinzl, the ICS cybersecurity researcher who discovered the vulnerabilities, told SecurityWeek that while only one CVE identifier has been assigned — the vendor apparently insisted on this — there are actually a total of 14 memory corruption vulnerabilities, including uninitialized pointer, out-of-bounds read, out-of-bounds write, use-after-free, and heap-based buffer overflow bugs.

Heinzl reported his findings to the vendor, through CISA, in December 2022, and pointed out that it has taken GE a long time to patch these and other vulnerabilities. 

The researcher has published individual advisories for each of the 14 flaws on his website. He said each vulnerability can be exploited for arbitrary code execution by getting a legitimate user to open a specially crafted .cim project file, and noted that the attack works in the product’s default configuration against all versions.

According to the expert, the application’s installation folder contains a subfolder named ‘No_DEP’, which includes a copy of an affected application binary that has Data Execution Prevention (DEP) disabled. Exploitation is easier against organizations that rely on this particular binary.

Advertisement. Scroll to continue reading.

The researcher said the latest GE Cimplicity vulnerabilities are reminiscent of attacks conducted a decade ago by a Russian state-sponsored hacker group named Sandworm, best known for its disruptive attacks on Ukraine’s energy sector.

Trend Micro reported in 2014 that the Sandworm group had targeted organizations using the Cimplicity product and the operation involved the use of .cim files as attack vectors.  

CISA at the time issued a warning to organizations related to those attacks

The agency’s analysis, which has been updated as recently as 2021, showed that the attackers had exploited a Cimplicity vulnerability tracked as CVE-2014-0751 to “have the HMI server execute a malicious .cim file [Cimplicity screen file] hosted on an attacker-controlled server”. The attackers used .cim files to deploy the BlackEnergy malware. 

Learn More at SecurityWeek’s ICS Cyber Security Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 23-26, 2023 | Atlanta

Related: Several Horner PLC Software Vulnerabilities Allow Code Execution via Malicious Font Files

Related: Several Critical Vulnerabilities Affect SmartPTT, SmartICS Industrial Products

Related: High-Severity Vulnerabilities Patched in Omron PLC Programming Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.