Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for Proficy CIMPLICITY by General Electric

    CVE-2022-23921 (GCVE-0-2022-23921)

    Vulnerability from nvd – Published: 2022-02-25 18:10 – Updated: 2025-04-16 18:00
    VLAI
    Title
    ICSA-22-053-01 GE Proficy CIMPLICITY-IPM
    Summary
    Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    General Electric Proficy CIMPLICITY Affected: all , ≤ 11.1 (custom)
    Create a notification for this product.
    Date Public
    2022-02-22 00:00
    Credits
    Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.018Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:31:12.537218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T18:00:35.453Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proficy CIMPLICITY",
              "vendor": "General Electric",
              "versions": [
                {
                  "lessThanOrEqual": "11.1",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
            }
          ],
          "datePublic": "2022-02-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-25T18:10:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2022-02-22T23:08:00.000Z",
              "ID": "CVE-2022-23921",
              "STATE": "PUBLIC",
              "TITLE": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proficy CIMPLICITY",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "all",
                                "version_value": "11.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "General Electric"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269 Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01",
                  "refsource": "MISC",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-23921",
        "datePublished": "2022-02-25T18:10:55.935Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2025-04-16T18:00:35.453Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-21798 (GCVE-0-2022-21798)

    Vulnerability from nvd – Published: 2022-02-25 18:10 – Updated: 2025-04-16 18:00
    VLAI
    Title
    ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext
    Summary
    The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Date Public
    2022-02-22 00:00
    Credits
    Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T02:53:36.261Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21798",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:31:09.941294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T18:00:26.255Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proficy CIMPLICITY",
              "vendor": "General Electric",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
            }
          ],
          "datePublic": "2022-02-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319 Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-25T18:10:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Users are advised to refer to the Secure Deployment Guide on how to configure communication encryption.\n\nUsers are encouraged to review the CIMPLICITY Windows Hardening Guide and Recommendations for further IPSEC configuration guidance found in the section titled \u201cAppendix A IPSEC Configuration.\u201d\n\nUsers are encouraged to contact a GE representative to obtain the latest versions of CIMPLICITY."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2022-02-22T23:08:00.000Z",
              "ID": "CVE-2022-21798",
              "STATE": "PUBLIC",
              "TITLE": "ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proficy CIMPLICITY",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "all",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "General Electric"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319 Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02",
                  "refsource": "MISC",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Users are advised to refer to the Secure Deployment Guide on how to configure communication encryption.\n\nUsers are encouraged to review the CIMPLICITY Windows Hardening Guide and Recommendations for further IPSEC configuration guidance found in the section titled \u201cAppendix A IPSEC Configuration.\u201d\n\nUsers are encouraged to contact a GE representative to obtain the latest versions of CIMPLICITY."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-21798",
        "datePublished": "2022-02-25T18:10:56.670Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2025-04-16T18:00:26.255Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-21798 (GCVE-0-2022-21798)

    Vulnerability from cvelistv5 – Published: 2022-02-25 18:10 – Updated: 2025-04-16 18:00
    VLAI
    Title
    ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext
    Summary
    The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-319 - Cleartext Transmission of Sensitive Information
    Assigner
    References
    Impacted products
    Date Public
    2022-02-22 00:00
    Credits
    Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T02:53:36.261Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-21798",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:31:09.941294Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T18:00:26.255Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proficy CIMPLICITY",
              "vendor": "General Electric",
              "versions": [
                {
                  "status": "affected",
                  "version": "all"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
            }
          ],
          "datePublic": "2022-02-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-319",
                  "description": "CWE-319 Cleartext Transmission of Sensitive Information",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-25T18:10:56.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "Users are advised to refer to the Secure Deployment Guide on how to configure communication encryption.\n\nUsers are encouraged to review the CIMPLICITY Windows Hardening Guide and Recommendations for further IPSEC configuration guidance found in the section titled \u201cAppendix A IPSEC Configuration.\u201d\n\nUsers are encouraged to contact a GE representative to obtain the latest versions of CIMPLICITY."
            }
          ],
          "source": {
            "discovery": "UNKNOWN"
          },
          "title": "ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2022-02-22T23:08:00.000Z",
              "ID": "CVE-2022-21798",
              "STATE": "PUBLIC",
              "TITLE": "ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proficy CIMPLICITY",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "=",
                                "version_name": "all",
                                "version_value": "all"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "General Electric"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-319 Cleartext Transmission of Sensitive Information"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02",
                  "refsource": "MISC",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "Users are advised to refer to the Secure Deployment Guide on how to configure communication encryption.\n\nUsers are encouraged to review the CIMPLICITY Windows Hardening Guide and Recommendations for further IPSEC configuration guidance found in the section titled \u201cAppendix A IPSEC Configuration.\u201d\n\nUsers are encouraged to contact a GE representative to obtain the latest versions of CIMPLICITY."
              }
            ],
            "source": {
              "discovery": "UNKNOWN"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-21798",
        "datePublished": "2022-02-25T18:10:56.670Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2025-04-16T18:00:26.255Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2022-23921 (GCVE-0-2022-23921)

    Vulnerability from cvelistv5 – Published: 2022-02-25 18:10 – Updated: 2025-04-16 18:00
    VLAI
    Title
    ICSA-22-053-01 GE Proficy CIMPLICITY-IPM
    Summary
    Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    References
    Impacted products
    Vendor Product Version
    General Electric Proficy CIMPLICITY Affected: all , ≤ 11.1 (custom)
    Create a notification for this product.
    Date Public
    2022-02-22 00:00
    Credits
    Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T03:59:23.018Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2022-23921",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-04-16T17:31:12.537218Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-04-16T18:00:35.453Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Proficy CIMPLICITY",
              "vendor": "General Electric",
              "versions": [
                {
                  "lessThanOrEqual": "11.1",
                  "status": "affected",
                  "version": "all",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
            }
          ],
          "datePublic": "2022-02-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2022-02-25T18:10:55.000Z",
            "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
            "shortName": "icscert"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM",
          "x_generator": {
            "engine": "Vulnogram 0.0.9"
          },
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "ics-cert@hq.dhs.gov",
              "DATE_PUBLIC": "2022-02-22T23:08:00.000Z",
              "ID": "CVE-2022-23921",
              "STATE": "PUBLIC",
              "TITLE": "ICSA-22-053-01 GE Proficy CIMPLICITY-IPM"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Proficy CIMPLICITY",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c=",
                                "version_name": "all",
                                "version_value": "11.1"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "General Electric"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects."
                }
              ]
            },
            "generator": {
              "engine": "Vulnogram 0.0.9"
            },
            "impact": {
              "cvss": {
                "attackComplexity": "HIGH",
                "attackVector": "ADJACENT_NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-269 Improper Privilege Management"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01",
                  "refsource": "MISC",
                  "url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01"
                }
              ]
            },
            "solution": [
              {
                "lang": "en",
                "value": "GE Digital recommends users upgrade all instances of the affected software to GE Digital\u2019s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. \n\nThe upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited.\n\nUsers are encouraged to contact a GE Digital representative for the latest versions of the update.\n\nFor users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY\u2019s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits."
              }
            ],
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "assignerShortName": "icscert",
        "cveId": "CVE-2022-23921",
        "datePublished": "2022-02-25T18:10:55.935Z",
        "dateReserved": "2022-01-27T00:00:00.000Z",
        "dateUpdated": "2025-04-16T18:00:35.453Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }