GE Fanuc Proficy Real-Time Information Portal 2.6 and earlier uses HTTP Basic Authentication, which transmits usernames and passwords in base64-encoded cleartext and allows remote attackers to steal the passwords and gain privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-312,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_real-time_information_portal | * |
Stack-based buffer overflow in the Data Archiver service in GE Intelligent Platforms Proficy Historian before 3.5 SIM 17 and 4.x before 4.0 SIM 12 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted TCP message traffic.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_historian | 4.0 |
| ge | intelligent_platforms_proficy_historian | * |
Multiple stack-based buffer overflows in GE Intelligent Platforms Proficy Applications before 4.4.1 SIM 101 and 5.x before 5.0 SIM 43 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via crafted TCP message traffic to (1) PRProficyMgr.exe in Proficy Server Manager, (2) PRGateway.exe in Proficy Server Gateway, (3) PRRDS.exe in Proficy Remote Data Service, or (4) PRLicenseMgr.exe in Proficy Server License Manager.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_historian | 4.0 |
| ge | intelligent_platforms_proficy_historian | * |
| ge | intelligent_platforms_proficy_historian | 5.0 |
Cross-site scripting (XSS) vulnerability in the Web Administrator component in GE Intelligent Platforms Proficy Historian 4.x and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_historian | * |
| ge | intelligent_platforms_proficy_historian | 3.1 |
| ge | intelligent_platforms_proficy_historian | 3.5 |
The Data Archiver service in GE Intelligent Platforms Proficy Historian 4.5 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted session on TCP port 14000 to (1) ihDataArchiver.exe or (2) ihDataArchiver_x64.exe.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_historian | 3.0 |
| ge | intelligent_platforms_proficy_historian | 4.0 |
| ge | intelligent_platforms_proficy_historian | * |
| ge | intelligent_platforms_proficy_historian | 2.0 |
| ge | intelligent_platforms_proficy_historian | 3.1 |
| ge | intelligent_platforms_proficy_historian | 3.5 |
| ge | intelligent_platforms_proficy_historian | 1.0 |
PRRDS.exe in the Proficy Remote Data Service in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12299.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_plant_applications | 215.8 |
| ge | intelligent_platforms_proficy_plant_applications | 4.2.3 |
| ge | intelligent_platforms_proficy_plant_applications | 4.4.1 |
| ge | intelligent_platforms_proficy_plant_applications | * |
| ge | intelligent_platforms_proficy_plant_applications | 4.2.2 |
| ge | intelligent_platforms_proficy_plant_applications | 4.3.1 |
PRLicenseMgr.exe in the Proficy Server License Manager in GE Intelligent Platforms Proficy Plant Applications 5.0 and earlier allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TCP session on port 12401.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_plant_applications | 215.8 |
| ge | intelligent_platforms_proficy_plant_applications | 4.2.3 |
| ge | intelligent_platforms_proficy_plant_applications | 4.4.1 |
| ge | intelligent_platforms_proficy_plant_applications | * |
| ge | intelligent_platforms_proficy_plant_applications | 4.2.2 |
| ge | intelligent_platforms_proficy_plant_applications | 4.3.1 |
Directory traversal vulnerability in rifsrvd.exe in the Remote Interface Service in GE Intelligent Platforms Proficy Real-Time Information Portal 2.6, 3.0, 3.0 SP1, and 3.5 allows remote attackers to modify the configuration via crafted strings.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.5 |
| ge | intelligent_platforms_proficy_real-time_information_portal | 2.6 |
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.0 |
Multiple stack-based buffer overflows in the KeyHelp.KeyCtrl.1 ActiveX control in KeyHelp.ocx 1.2.312 in KeyWorks KeyHelp Module (aka the HTML Help component), as used in EMC Documentum ApplicationXtender Desktop 5.4; EMC Captiva Quickscan Pro 4.6 SP1; GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; GE Intelligent Platforms Proficy HMI/SCADA iFIX 5.0 and 5.1; GE Intelligent Platforms Proficy Pulse 1.0; GE Intelligent Platforms Proficy Batch Execution 5.6; GE Intelligent Platforms SI7 I/O Driver 7.20 through 7.42; and other products, allow remote attackers to execute arbitrary code via a long string in the second argument to the (1) JumpMappedID or (2) JumpURL method.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.0 |
| ge | intelligent_platforms_proficy_historian | 4.5 |
| emc | documentum_applicationxtender_desktop | 5.4 |
| emc | captiva_quickscan_pro | 4.6 |
| ge | intelligent_platforms_proficy_batch_execution | 5.6 |
| ge | intelligent_platforms_proficy_historian | 4.0 |
| ge | intelligent_platforms_si7_i/o_driver | 7.20 |
| ge | intelligent_platforms_proficy_historian | 3.1 |
| ge | intelligent_platforms_proficy_historian | 3.5 |
| ge | intelligent_platforms_proficy_pulse | 1.0 |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.1 |
| ge | intelligent_platforms_si7_i/o_driver | 7.42 |
An ActiveX control in KeyHelp.ocx in KeyWorks KeyHelp Module (aka the HTML Help component), as used in GE Intelligent Platforms Proficy Historian 3.1, 3.5, 4.0, and 4.5; Proficy HMI/SCADA iFIX 5.0 and 5.1; Proficy Pulse 1.0; Proficy Batch Execution 5.6; SI7 I/O Driver 7.20 through 7.42; and other products, allows remote attackers to execute arbitrary commands via crafted input, related to a "command injection vulnerability."
CVSS 2.0
Severity: HIGH
Problem Type: CWE-78,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.0 |
| ge | intelligent_platforms_proficy_batch_execution | 5.6 |
| ge | intelligent_platforms_proficy_historian | 4.5 |
| ge | intelligent_platforms_proficy_historian | 4.0 |
| ge | intelligent_platforms_si7_i/o_driver | 7.20 |
| ge | intelligent_platforms_proficy_historian | 3.1 |
| ge | intelligent_platforms_proficy_historian | 3.5 |
| ge | intelligent_platforms_proficy_pulse | 1.0 |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.1 |
| ge | intelligent_platforms_si7_i/o_driver | 7.42 |
General Electric D20ME devices are not properly configured and reveal plaintext passwords.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | d20me_firmware | - |
| ge | d200_firmware | - |
The Portal installation process in GE Intelligent Platforms Proficy Real-Time Information Portal stores sensitive information under the web root with insufficient access control, which allows remote attackers to read configuration files, and discover data-source credentials, via a direct request.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.5 |
| ge | intelligent_platforms_proficy_real-time_information_portal | - |
| ge | intelligent_platforms_proficy_real-time_information_portal | 2.6 |
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.0 |
GE Intelligent Platforms Proficy Real-Time Information Portal does not restrict access to methods of an unspecified Java class, which allows remote attackers to obtain a username listing via an RMI call.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-264,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.5 |
| ge | intelligent_platforms_proficy_real-time_information_portal | - |
| ge | intelligent_platforms_proficy_real-time_information_portal | 2.6 |
| ge | intelligent_platforms_proficy_real-time_information_portal | 3.0 |
Directory traversal vulnerability in substitute.bcl in the WebView CimWeb subsystem in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to read arbitrary files via a crafted packet.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_process_systems | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_process_systems_with_cimplicity | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
CimWebServer in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY 4.01 through 8.0, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary commands or cause a denial of service (daemon crash) via a crafted packet.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_process_systems | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_process_systems_with_cimplicity | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
Multiple buffer overflows in CimWebServer.exe in the WebView component in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY before 8.0 SIM 27, 8.1 before SIM 25, and 8.2 before SIM 19, and Proficy Process Systems with CIMPLICITY, allow remote attackers to execute arbitrary code via crafted data in packets to TCP port 10212, aka ZDI-CAN-1621 and ZDI-CAN-1624.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.2 |
| ge | intelligent_platforms_proficy_process_systems_with_cimplicity | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.1 |
The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intelligent Platforms Proficy DNP3 I/O driver before 7.20k, as used in DNPDrv.exe (aka the DNP master station server) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY and iFIX, allow remote attackers to cause a denial of service (infinite loop) via a crafted DNP3 TCP packet.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_dnp3_i/o_driver | * |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.0 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.2 |
| ge | intelligent_platforms_proficy_dnp3_i/o_driver | 7.20 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.1 |
| catapultsoftware | catapult_dnp3_i/o_driver | * |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.1 |
The (1) Catapult DNP3 I/O driver before 7.2.0.60 and the (2) GE Intelligent Platforms Proficy DNP3 I/O driver before 7.20k, as used in DNPDrv.exe (aka the DNP master station server) in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY and iFIX, allow physically proximate attackers to cause a denial of service (infinite loop) via crafted input over a serial line.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_dnp3_i/o_driver | * |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.0 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.2 |
| ge | intelligent_platforms_proficy_dnp3_i/o_driver | 7.20 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.1 |
| catapultsoftware | catapult_dnp3_i/o_driver | * |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
| ge | intelligent_platforms_proficy_hmi/scada_ifix | 5.1 |
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.2 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_process_systems_with_cimplicity | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.1 |
| ge | intelligent_platforms_proficy_hmi%2fscada_cimplicity | * |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
The CIMPLICITY Web-based access component, CimWebServer, does not check the location of shell files being loaded into the system. By modifying the source location, an attacker could send shell code to the CimWebServer which would deploy the nefarious files as part of any SCADA project. This could allow the attacker to execute arbitrary code.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.0 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.2 |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 4.01 |
| ge | intelligent_platforms_proficy_process_systems_with_cimplicity | - |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 8.1 |
| ge | intelligent_platforms_proficy_hmi%2fscada_cimplicity | * |
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | 7.5 |
The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | * |
The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-343,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | hydran_m2 | * |
GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier allow remote attackers to cause a denial of service (resource consumption or reboot) via crafted packets.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-400,CWE-399,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilink_ml1200 | - |
| ge | multilink_ml800_firmware | * |
| ge | multilink_ml810 | - |
| ge | multilink_ml2400 | - |
| ge | multilink_ml3100_firmware | * |
| ge | multilink_ml3100 | * |
| ge | multilink_ml1600_firmware | * |
| ge | multilink_ml1600 | - |
| ge | multilink_ml2400_firmware | * |
| ge | multilink_ml810_firmware | * |
| ge | multilink_ml800 | - |
| ge | multilink_ml1200_firmware | * |
| ge | multilink_ml3000 | * |
| ge | multilink_ml3000_firmware | * |
GE Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware 4.2.1 and earlier and Multilink ML810, ML3000, and ML3100 switches with firmware 5.2.0 and earlier use the same RSA private key across different customers' installations, which makes it easier for remote attackers to obtain the cleartext content of network traffic by reading this key from a firmware image and then sniffing the network.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-321,CWE-310,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilink_ml1200 | - |
| ge | multilink_ml800_firmware | * |
| ge | multilink_ml810 | - |
| ge | multilink_ml2400 | - |
| ge | multilink_ml3100_firmware | * |
| ge | multilink_ml3100 | * |
| ge | multilink_ml1600_firmware | * |
| ge | multilink_ml1600 | - |
| ge | multilink_ml2400_firmware | * |
| ge | multilink_ml810_firmware | * |
| ge | multilink_ml800 | - |
| ge | multilink_ml1200_firmware | * |
| ge | multilink_ml3000 | * |
| ge | multilink_ml3000_firmware | * |
Buffer overflow in the Field Device Tool (FDT) Frame application in the HART Device Type Manager (DTM) library, as used in MACTek Bullet DTM 1.00.0, GE Vector DTM 1.00.0, GE SVi1000 Positioner DTM 1.00.0, GE SVI II AP Positioner DTM 2.00.1, and GE 12400 Level Transmitter DTM 1.00.0, allows remote attackers to cause a denial of service (DTM outage) via crafted packets.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | vector_device_type_manager | 1.00.0 |
| mactek | bullet_device_type_manager | 1.00.0 |
| ge | 12400_level_transmitter_device_type_manager | 1.00.0 |
| ge | svi_ii_ap_positioner_device_type_manager | 2.00.1 |
Cross-site scripting (XSS) vulnerability in GE Multilink ML810/3000/3100 series switch 5.2.0 and earlier, and GE Multilink ML800/1200/1600/2400 4.2.1 and earlier.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilink_ml3100_firmware | * |
| ge | multilink_ml810_firmware | 5.2.0 |
| ge | multilink_ml2400_firmware | 4.2.1 |
| ge | multilink_ml800_firmware | 4.2.1 |
| ge | multilink_ml1200_firmware | 4.2.1 |
| ge | multilink_ml3000_firmware | * |
| ge | multilink_ml1600_firmware | 4.2.1 |
GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 have hardcoded credentials for a support account, which allows remote attackers to obtain administrative access, and consequently execute arbitrary code, by leveraging knowledge of the password.
CVSS 2.0
Severity: HIGH
Problem Type: NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mds_pulsenet | * |
Absolute path traversal vulnerability in the download feature in FileDownloadServlet in GE Digital Energy MDS PulseNET and MDS PulseNET Enterprise before 3.1.5 allows remote attackers to read or delete arbitrary files via a full pathname.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mds_pulsenet | * |
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to execute arbitrary commands via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-77,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ups_snmp_web_adapter_firmware | * |
General Electric (GE) Industrial Solutions UPS SNMP/Web Adapter devices with firmware before 4.8 allow remote authenticated users to obtain sensitive cleartext account information via unspecified vectors.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | snmp/web_adapter_firmware | * |
General Electric (GE) Multilink ML800, ML1200, ML1600, and ML2400 switches with firmware before 5.5.0 and ML810, ML3000, and ML3100 switches with firmware before 5.5.0k have hardcoded credentials, which allows remote attackers to modify configuration settings via the web interface.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilink_firmware | * |
General Electric (GE) Digital Proficy HMI/SCADA - CIMPLICITY before 8.2 SIM 27 mishandles service DACLs, which allows local users to modify a service configuration via unspecified vectors.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L | 2.0 | 3.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | 8.2 |
| ge | cimplicity | * |
General Electric (GE) Bently Nevada 3500/22M USB with firmware before 5.0 and Bently Nevada 3500/22M Serial have open ports, which makes it easier for remote attackers to obtain privileged access via unspecified vectors.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-254,CWE-285,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | bently_nevada_3500/22m_serial_firmware | - |
| ge | bently_nevada_3500/22m_usb_firmware | - |
An issue was discovered in General Electric (GE) Proficy HMI/SCADA iFIX Version 5.8 SIM 13 and prior versions, Proficy HMI/SCADA CIMPLICITY Version 9.0 and prior versions, and Proficy Historian Version 6.0 and prior versions. An attacker may be able to retrieve user passwords if he or she has access to an authenticated session.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L | 0.8 | 5.3 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ifix | * |
| ge | cimplicity | * |
| ge | historian | * |
A Stack-based Buffer Overflow issue was discovered in GE CIMPLICITY Versions 9.0 and prior. A function reads a packet to indicate the next packet length. The next packet length is not verified, allowing a buffer overwrite that could lead to an arbitrary remote code execution.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-121,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | intelligent_platforms_proficy_hmi/scada_cimplicity | * |
GE Infinia/Infinia with Hawkeye 4 medical imaging systems all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | infinia_hawkeye_4_firmware | - |
GE GEMNet License server (EchoServer) all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | gemnet_license_server | - |
GE Xeleris versions 1.0,1.1,2.1,3.0,3.1, medical imaging systems, all current versions are affected, these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | xeleris | 3.1 |
| ge | xeleris | 2.1 |
| ge | xeleris | 3.0 |
| ge | xeleris | 1.0 |
| ge | xeleris | 1.1 |
GE Centricity PACS RA1000, diagnostic image analysis, all current versions are affected these devices use default or hard-coded credentials. Successful exploitation of this vulnerability may allow a remote attacker to bypass authentication and gain access to the affected devices.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | centricity_pacs_ra1000 | - |
A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 760 Feeder Protection Relay, firmware versions prior to Version 7.47; SR 469 Motor Protection Relay, firmware versions prior to Version 5.23; SR 489 Generator Protection Relay, firmware versions prior to Version 4.06; SR 745 Transformer Protection Relay, firmware versions prior to Version 5.23; SR 369 Motor Protection Relay, all firmware versions; Multilin Universal Relay, firmware Version 6.0 and prior versions; and Multilin URplus (D90, C90, B95), all versions. Ciphertext versions of user passwords were created with a non-random initialization vector leaving them susceptible to dictionary attacks. Ciphertext of user passwords can be obtained from the front LCD panel of affected products and through issued Modbus commands.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-261,CWE-326,CWE-330,CWE-522,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_sr_750_feeder_protection_relay_firmware | * |
| ge | multilin_urplus_d90_firmware | - |
| ge | multilin_urplus_c90_firmware | - |
| ge | multilin_sr_489_generator_protection_relay_firmware | * |
| ge | multilin_universal_relay_firmware | * |
| ge | multilin_sr_369_motor_protection_relay_firmware | - |
| ge | multilin_sr_760_feeder_protection_relay_firmware | * |
| ge | multilin_urplus_b95_firmware | - |
| ge | multilin_sr_745_transformer_protection_relay_firmware | * |
| ge | multilin_sr_469_motor_protection_relay_firmware | * |
A heap-based buffer overflow exists in the third-party product Gigasoft, v5 and prior, included in GE Communicator 3.15 and prior. A malicious HTML file that loads the ActiveX controls can trigger the vulnerability via unchecked function calls.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-122,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
| gigasoft | proessentials | * |
Java remote method invocation (RMI) input port in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior may be exploited to allow unauthenticated users to launch applications and support remote code execution through web services.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mds_pulsenet | * |
Multiple variants of XML External Entity (XXE) attacks may be used to exfiltrate data from the host Windows platform in GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mds_pulsenet | * |
Directory traversal may lead to files being exfiltrated or deleted on the GE MDS PulseNET and MDS PulseNET Enterprise version 3.2.1 and prior host platform.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-23,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mds_pulsenet | * |
XXE in GE Proficy Cimplicity GDS versions 9.0 R2, 9.5, 10.0
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | 10.0 |
| ge | cimplicity | 9.0_r2 |
| ge | cimplicity | 9.5 |
Multiple instances of this vulnerability (Unsafe ActiveX Control Marked Safe For Scripting) have been identified in the third-party ActiveX object provided to GE iFIX versions 2.0 - 5.8 by Gigasoft. Only the independent use of the Gigasoft charting package outside the iFIX product may expose users to the reported vulnerability. The reported method shown to impact Internet Explorer is not exposed in the iFIX product, nor is the core functionality of the iFIX product known to be impacted.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-623,NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ifix | * |
GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e Versions 03.03.28C to 05.02.04C, EX2100e All versions prior to v04.09.00C, EX2100e_Reg All versions prior to v04.09.00C, and LS2100e All versions prior to v04.09.00C The affected versions of the application have a path traversal vulnerability that fails to restrict the ability of an attacker to gain access to restricted information.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-22,CWE-22,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mark_vle_firmware | * |
| ge | ls2100e_firmware | * |
| ge | ex2100e_firmware | * |
An Improper Restriction of Operations within the Bounds of a Memory Buffer issue was discovered in GE D60 Line Distance Relay devices running firmware Version 7.11 and prior. The SSH functions of the device are vulnerable to buffer overflow conditions that may allow a remote attacker to execute arbitrary code on the device.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-119,CWE-119,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | d60_line_distance_relay_firmware | * |
A Stack-based Buffer Overflow issue was discovered in GE D60 Line Distance Relay devices running firmware Version 7.11 and prior. Multiple stack-based buffer overflow vulnerabilities have been identified, which may allow remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | d60_line_distance_relay_firmware | * |
In GE PACSystems RX3i CPE305/310 version 9.20 and prior, RX3i CPE330 version 9.21 and prior, RX3i CPE 400 version 9.30 and prior, PACSystems RSTi-EP CPE 100 all versions, and PACSystems CPU320/CRU320 RXi all versions, the device does not properly validate input, which could allow a remote attacker to send specially crafted packets causing the device to become unavailable.
CVSS 2.0
Severity: HIGH
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | pacsystems_rsti-ep_cpe_100_firmware | - |
| ge | pacsystems_cpu320_firmware | - |
| ge | pacsystems_rx3i_cpe310_firmware | * |
| ge | rx3i_cpe_400_firmware | * |
| ge | pacsystems_rxi_firmware | - |
| ge | rx3i_cpe330_firmware | * |
| ge | pacsystems_rx3i_cpe305_firmware | * |
| ge | pacsystems_cru320_firmware | - |
In GE Aestiva and Aespire versions 7100 and 7900, a vulnerability exists where serial devices are connected via an added unsecured terminal server to a TCP/IP network configuration, which could allow an attacker to remotely modify device configuration and silence alarms.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-287,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | aespire_7900_firmware | - |
| ge | aespire_7100_firmware | - |
| ge | aestiva_7100_firmware | - |
| ge | aestiva_7900_firmware | - |
GE Mark VIe Controller has an unsecured Telnet protocol that may allow a user to create an authenticated session using generic default credentials. GE recommends that users disable the Telnet service.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-285,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mark_vie_control_system | - |
GE Mark VIe Controller is shipped with pre-configured hard-coded credentials that may allow root-user access to the controller. A limited application of the affected product may ship without setup and configuration instructions immediately available to the end user. The bulk of controllers go into applications requiring the GE commissioning engineer to change default configurations during the installation process. GE recommends that users reset controller passwords during installation in the operating environment.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mark_vie_controll_system | - |
HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through the registry. This may allow privilege escalation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ifix | * |
HMI/SCADA iFIX (Versions 6.1 and prior) allows a local authenticated user to modify system-wide iFIX configurations through section objects. This may allow privilege escalation.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.5 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N | 1.8 | 3.6 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-732,CWE-732,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ifix | * |
An issue was found in GE S2020/S2020G Fast Switch 61850, S2020/S2020G Fast Switch 61850 Versions 07A03 and prior. An attacker can inject arbitrary Javascript in a specially crafted HTTP request that may be reflected back in the HTTP response. The device is also vulnerable to a stored cross-site scripting vulnerability that may allow session hijacking, disclosure of sensitive data, cross-site request forgery (CSRF) attacks, and remote code execution.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.4 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N | 2.3 | 2.7 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-79,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | s2020g_firmware | * |
| ge | s2020_firmware | * |
GE Communicator, all versions prior to 4.0.517, has a service running with system privileges that may allow an unprivileged user to perform certain administrative actions, which may allow the execution of scheduled scripts with system administrator privileges. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.6 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.2 | 3.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-284,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
GE Communicator, all versions prior to 4.0.517, allows an attacker to place malicious files within the working directory of the program, which may allow an attacker to manipulate widgets and UI elements.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-427,CWE-427,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
GE Communicator, all versions prior to 4.0.517, contains two backdoor accounts with hardcoded credentials, which may allow control over the database. This service is inaccessible to attackers if Windows default firewall settings are used by the end user.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to place malicious files within the installer file directory, which may allow an attacker to gain administrative privileges on a system during installation or upgrade.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-427,CWE-427,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
GE Communicator, all versions prior to 4.0.517, allows a non-administrative user to replace the uninstaller with a malicious version, which could allow an attacker to gain administrator privileges to the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-284,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ge_communicator | * |
GE Grid Solutions Reason RT Clocks, RT430, RT431, and RT434, all firmware versions prior to 08A05. The device’s vulnerability in the web application could allow multiple unauthenticated attacks that could cause serious impact. The vulnerability may allow an unauthenticated attacker to execute arbitrary commands and send a request to a specific URL that could cause the device to become unresponsive. The unauthenticated attacker may change the password of the 'configuration' user account, allowing the attacker to modify the configuration of the device via the web interface using the new password. This vulnerability may also allow an unauthenticated attacker to bypass the authentication required to configure the device and reboot the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-306,CWE-306,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | rt431_firmware | * |
| ge | rt430_firmware | * |
| ge | rt434_firmware | * |
GE Digital APM Classic, Versions 4.4 and prior. An insecure direct object reference (IDOR) vulnerability allows user account data to be downloaded in JavaScript object notation (JSON) format by users who should not have access to such functionality. An attacker can download sensitive data related to user accounts without having the proper privileges.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-639,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | asset_performance_management_classic | * |
The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow an attacker to trick application users into performing critical application actions that include, but are not limited to, adding and updating accounts.
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | s2024_firmware | * |
| ge | s2020_firmware | * |
GE Digital APM Classic, Versions 4.4 and prior. Salt is not used for hash calculation of passwords, making it possible to decrypt passwords. This design flaw, along with the IDOR vulnerability, puts the entire platform at high risk because an authenticated user can retrieve all user account data and then retrieve the actual passwords.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.2 | HIGH | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 1.2 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-759,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | asset_performance_management_classic | * |
The affected Reason S20 Ethernet Switch is vulnerable to cross-site scripting (XSS), which may allow attackers to trick users into following a link or navigating to a page that posts a malicious JavaScript statement to the vulnerable site, causing the malicious JavaScript to be rendered by the site and executed by the victim client.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | s2024_firmware | * |
| ge | s2020_firmware | * |
By having access to the hard-coded cryptographic key for GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06, attackers would be able to intercept and decrypt encrypted traffic through an HTTPS connection.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
| ics-cert@hq.dhs.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-321,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | rt431_firmware | * |
| ge | rt430_firmware | * |
| ge | rt434_firmware | * |
A code injection vulnerability exists in one of the webpages in GE Reason RT430, RT431 & RT434 GNSS clocks in firmware versions prior to version 08A06 that could allow an authenticated remote attacker to execute arbitrary code on the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
| ics-cert@hq.dhs.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-94,CWE-94,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | rt431_firmware | * |
| ge | rt430_firmware | * |
| ge | rt434_firmware | * |
KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-122,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | thingworx_kepware_server | 6.8 |
| rockwellautomation | kepserver_enterprise | 6.9.572.0 |
| softwaretoolbox | top_server | * |
| ptc | kepware_kepserverex | 6.9 |
| ptc | thingworx_kepware_server | 6.9 |
| ge | industrial_gateway_server | 7.66 |
| rockwellautomation | kepserver_enterprise | 6.6.504.0 |
| ge | industrial_gateway_server | 7.68.804 |
| ptc | kepware_kepserverex | 6.0 |
| ptc | thingworx_industrial_connectivity | - |
| ptc | opc-aggregator | - |
KEPServerEX: v6.0 to v6.9, ThingWorx Kepware Server: v6.8 and v6.9, ThingWorx Industrial Connectivity: All versions, OPC-Aggregator: All versions, Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server: v7.68.804 and v7.66, Software Toolbox TOP Server: All 6.x versions are vulnerable to a stack-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and remotely execute code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-121,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | thingworx_kepware_server | 6.8 |
| rockwellautomation | kepserver_enterprise | 6.9.572.0 |
| softwaretoolbox | top_server | * |
| ptc | kepware_kepserverex | 6.9 |
| ptc | thingworx_kepware_server | 6.9 |
| ge | industrial_gateway_server | 7.66 |
| rockwellautomation | kepserver_enterprise | 6.6.504.0 |
| ge | industrial_gateway_server | 7.68.804 |
| ptc | kepware_kepserverex | 6.0 |
| ptc | thingworx_industrial_connectivity | - |
| ptc | opc-aggregator | - |
KEPServerEX v6.0 to v6.9, ThingWorx Kepware Server v6.8 and v6.9, ThingWorx Industrial Connectivity (all versions), OPC-Aggregator (all versions), Rockwell Automation KEPServer Enterprise, GE Digital Industrial Gateway Server v7.68.804 and v7.66, and Software Toolbox TOP Server all 6.x versions, are vulnerable to a heap-based buffer overflow. Opening a specifically crafted OPC UA message could allow an attacker to crash the server and potentially leak data.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-416,CWE-787,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | thingworx_kepware_server | 6.8 |
| rockwellautomation | kepserver_enterprise | 6.9.572.0 |
| softwaretoolbox | top_server | * |
| ptc | kepware_kepserverex | 6.9 |
| ptc | thingworx_kepware_server | 6.9 |
| ge | industrial_gateway_server | 7.66 |
| rockwellautomation | kepserver_enterprise | 6.6.504.0 |
| ge | industrial_gateway_server | 7.68.804 |
| ptc | kepware_kepserverex | 6.0 |
| ptc | thingworx_industrial_connectivity | - |
| ptc | opc-aggregator | - |
A vulnerability was found in GE Voluson S8. It has been rated as critical. This issue affects the Service Browser which itroduces hard-coded credentials. Attacking locally is a requirement. It is recommended to change the configuration settings.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| ics-cert@hq.dhs.gov | 5.9 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.5 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | voluson_s8_firmware | - |
A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local host.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| ics-cert@hq.dhs.gov | 5.9 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 2.5 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-287,CWE-287,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | voluson_s8_firmware | - |
A vulnerability classified as critical was found in GE Voluson S8. Affected is the underlying Windows XP operating system. Missing patches might introduce an excessive attack surface. Access to the local network is required for this attack to succeed.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| ics-cert@hq.dhs.gov | 8.8 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-269,NVD-CWE-noinfo,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | voluson_s8_firmware | - |
A restricted desktop environment escape vulnerability exists in the Kiosk Mode functionality of affected devices. Specially crafted inputs can allow the user to escape the restricted environment, resulting in access to the underlying operating system. Affected devices include the following GE Ultrasound Products: Vivid products - all versions; LOGIQ - all versions not including LOGIQ 100 Pro; Voluson - all versions; Versana Essential - all versions; Invenia ABUS Scan station - all versions; Venue - all versions not including Venue 40 R1-3 and Venue 50 R4-5
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-693,CWE-20,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | logiq_e10_firmware | * |
| ge | vivid_e95_firmware | * |
| ge | logiq_s7_firmware | * |
| ge | logiq_s8_firmware | * |
| ge | vivid_e90_firmware | * |
| ge | invenia_abus_scan_station_firmware | * |
| ge | logiq_e9_with_xdclear_firmware | * |
| ge | voluson_firmware | * |
| ge | venue_go_firmware | * |
| ge | vivid_t8_firmware | * |
| ge | versana_essential_firmware | * |
| ge | vivid_s70n_firmware | * |
| ge | vivid_t9_firmware | * |
| ge | logiq_e9_firmware | * |
| ge | logiq_p9_firmware | * |
| ge | vivid_iq_firmware | * |
A local privilege escalation vulnerability has been identified in the GE Digital CIMPLICITY HMI/SCADA product v10.0 and prior. If exploited, this vulnerability could allow an adversary to modify the system, leading to the arbitrary execution of code. This vulnerability is only exploitable if an attacker has access to an authenticated session. GE Digital CIMPLICITY v11.0, released January 2020, contains mitigation for this local privilege escalation vulnerability. GE Digital recommends all users upgrade to GE CIMPLICITY v11.0 or newer.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.7 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H | 0.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-269,CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
GE UR firmware versions prior to version 8.1x supports web interface with read-only access. The device fails to properly validate user input, making it possible to perform cross-site scripting attacks, which may be used to send a malicious script. Also, UR Firmware web server does not perform HTML encoding of user-supplied strings.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
| ics-cert@hq.dhs.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-79,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR firmware versions prior to version 8.1x web server task does not properly handle receipt of unsupported HTTP verbs, resulting in the web server becoming temporarily unresponsive after receiving a series of unsupported HTTP requests. When unresponsive, the web server is inaccessible. By itself, this is not particularly significant as the relay remains effective in all other functionality and communication channels.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-20,CWE-20,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR firmware versions prior to version 8.1x web server interface is supported on UR over HTTP protocol. It allows sensitive information exposure without authentication.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-319,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR firmware versions prior to version 8.1x shares MODBUS memory map as part of the communications guide. GE was made aware a “Last-key pressed” MODBUS register can be used to gain unauthorized information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
| nvd@nist.gov | 5.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N | 3.9 | 1.4 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-200,CWE-668,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR IED firmware versions prior to version 8.1x with “Basic” security variant does not allow the disabling of the “Factory Mode,” which is used for servicing the IED by a “Factory” user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-453,NVD-CWE-Other,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR IED firmware versions prior to version 8.1x supports upgrading firmware using UR Setup configuration tool – Enervista UR Setup. This UR Setup tool validates the authenticity and integrity of firmware file before uploading the UR IED. An illegitimate user could upgrade firmware without appropriate privileges. The weakness is assessed, and mitigation is implemented in firmware Version 8.10.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| ics-cert@hq.dhs.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-434,CWE-434,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | multilin_c30_firmware | * |
| ge | multilin_d30_firmware | * |
| ge | multilin_l60_firmware | * |
| ge | multilin_b30_firmware | * |
| ge | multilin_b90_firmware | * |
| ge | multilin_n60_firmware | * |
| ge | multilin_l90_firmware | * |
| ge | multilin_f35_firmware | * |
| ge | multilin_t35_firmware | * |
| ge | multilin_c70_firmware | * |
| ge | multilin_g30_firmware | * |
| ge | multilin_l30_firmware | * |
| ge | multilin_c60_firmware | * |
| ge | multilin_g60_firmware | * |
| ge | multilin_m60_firmware | * |
| ge | multilin_f60_firmware | * |
| ge | multilin_d60_firmware | * |
| ge | multilin_t60_firmware | * |
| ge | multilin_c95_firmware | * |
GE UR bootloader binary Version 7.00, 7.01 and 7.02 included unused hardcoded credentials. Additionally, a user with physical access to the UR IED can interrupt the boot sequence by rebooting the UR.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.8 | MEDIUM | CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 0.9 | 5.9 |
| ics-cert@hq.dhs.gov | 8.4 | HIGH | CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 2.5 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-798,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ur_bootloader_binary | 7.01 |
| ge | ur_bootloader_binary | 7.02 |
| ge | ur_bootloader_binary | 7.00 |
The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 8.8 | HIGH | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 2.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-94,CWE-94,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | reason_dr60_firmware | * |
The software contains a hard-coded password it uses for its own inbound authentication or for outbound communication to external components on the Reason DR60 (all firmware versions prior to 02A04.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-259,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | reason_dr60_firmware | * |
A miscommunication in the file system allows adversaries with access to the MU320E to escalate privileges on the MU320E (all firmware versions prior to v04A00.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-250,CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mu320e_firmware | * |
SSH server configuration file does not implement some best practices. This could lead to a weakening of the SSH protocol strength, which could lead to additional misconfiguration or be leveraged as part of a larger attack on the MU320E (all firmware versions prior to v04A00.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-326,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mu320e_firmware | * |
The software contains a hard-coded password that could allow an attacker to take control of the merging unit using these hard-coded credentials on the MU320E (all firmware versions prior to v04A00.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-259,CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | mu320e_firmware | * |
The software performs an operation at a privilege level higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses on the Reason DR60 (all firmware versions prior to 02A04.1).
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-250,CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | reason_dr60_firmware | * |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-coded default credentials. An attacker can leverage this vulnerability to execute code in the context of the download user. Was ZDI-CAN-11852.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L | 3.9 | 3.4 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-798,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | reason_rpv311_firmware | 14a03 |
GE Gas Power ToolBoxST Version v04.07.05C suffers from an XML external entity (XXE) vulnerability using the DTD parameter entities technique that could result in disclosure and retrieval of arbitrary data on the affected node via an out-of-band (OOB) attack. The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project/template file.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
CVSS 2.0
Severity: MEDIUM
Problem Type: CWE-611,CWE-611,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | toolboxst | * |
GE CIMPICITY versions 2022 and prior is vulnerable when data from faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| ics-cert@hq.dhs.gov | 7.5 | HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: HIGH
Problem Type: CWE-319,CWE-319,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| ics-cert@hq.dhs.gov | 7.5 | HIGH | CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H | 1.6 | 5.9 |
CVSS 2.0
Severity: LOW
Problem Type: CWE-269,CWE-269,
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_cimplicitiy | * |
Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | sd2_firmware | * |
| ge | td220max_firmware | * |
| ge | td220x_firmware | * |
| ge | sd4_firmware | * |
| ge | inet_ii_900_firmware | * |
| ge | inet_900_firmware | * |
| ge | sd1_firmware | * |
| ge | sd9_firmware | * |
Certain General Electric Renewable Energy products download firmware without an integrity check. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before 1.2.6.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | sd2_firmware | * |
| ge | td220max_firmware | * |
| ge | td220x_firmware | * |
| ge | sd4_firmware | * |
| ge | inet_ii_900_firmware | * |
| ge | inet_900_firmware | * |
| ge | sd1_firmware | * |
| ge | sd9_firmware | * |
Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before 1.2.6.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | sd2_firmware | * |
| ge | td220max_firmware | * |
| ge | td220x_firmware | * |
| ge | sd4_firmware | * |
| ge | inet_ii_900_firmware | * |
| ge | inet_900_firmware | * |
| ge | sd1_firmware | * |
| ge | sd9_firmware | * |
Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET and iNET II before 8.3.0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | sd2_firmware | * |
| ge | td220max_firmware | * |
| ge | td220x_firmware | * |
| ge | sd4_firmware | * |
| ge | inet_ii_900_firmware | * |
| ge | inet_900_firmware | * |
| ge | sd1_firmware | * |
| ge | sd9_firmware | * |
Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | sd2_firmware | * |
| ge | td220max_firmware | * |
| ge | td220x_firmware | * |
| ge | sd4_firmware | * |
| ge | inet_ii_900_firmware | * |
| ge | inet_900_firmware | * |
| ge | sd1_firmware | * |
| ge | sd9_firmware | * |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-18411.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | kepware_kepserverex | * |
| ge | industrial_gateway_server | * |
| softwaretoolbox | top_server | * |
| ptc | thingworx_kepware_edge | * |
| ptc | thingworx_kepware_server | * |
| ptc | opc-aggregator | * |
| rockwellautomation | kepserver_enterprise | * |
| ptc | thingworx_industrial_connectivity | - |
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16486.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | kepware_kepserverex | * |
| ge | industrial_gateway_server | * |
| softwaretoolbox | top_server | * |
| ptc | thingworx_kepware_edge | * |
| ptc | thingworx_kepware_server | * |
| ptc | opc-aggregator | * |
| rockwellautomation | kepserver_enterprise | * |
| ptc | thingworx_industrial_connectivity | - |
GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
GE CIMPICITY versions 2022 and prior is vulnerable to an out-of-bounds write, which could allow an attacker to execute arbitrary code.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
A reflected cross-site scripting (XSS) vulnerability exists in the iHistorian Data Display of WorkstationST (<v07.09.15) could allow an attacker to compromise a victim's browser. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
| GEPowerCVD@ge.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | 1.6 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | workstationst | * |
An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST (<v07.09.15) and could allow an attacker to compromise a victim's browser/session. WorkstationST is only deployed in specific, controlled environments rendering attack complexity significantly higher than if the attack were conducted on the software in isolation. WorkstationST v07.09.15 can be found in ControlST v07.09.07 SP8 and greater.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 6.1 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | 2.8 | 2.7 |
| GEPowerCVD@ge.com | 4.7 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N | 1.6 | 2.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | workstationst | * |
An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_historian | * |
An unauthorized user could be able to read any file on the system, potentially exposing sensitive information.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_historian | * |
An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port 8888.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ms_3000_firmware | * |
An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ms_3000_firmware | * |
An issue was discovered on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. The debug port accessible via TCP (a qconn service) lacks access control.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ms_3000_firmware | * |
An unauthorized user could possibly delete any file on the system.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_historian | * |
An unauthorized user could alter or write files with full control over the path and content of the file.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_historian | * |
Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status.
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | proficy_historian | * |
GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| ics-cert@hq.dhs.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | ifix | 6.5 |
| ge | ifix | 2022 |
| ge | ifix | 6.1 |
The affected products are vulnerable to an integer overflow or wraparound, which could allow an attacker to crash the server and remotely execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | thingworx_edge_c-sdk | * |
| ptc | thingworx_.net-sdk | * |
| ptc | thingworx_industrial_connectivity | * |
| ge | digital_industrial_gateway_server | * |
| ptc | kepware_serverex | * |
| ptc | thingworx_edge_microserver | * |
| ptc | thingworx_kepware_edge | * |
| ptc | kepware_server | * |
| rockwellautomation | kepserver_enterprise | * |
The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
| ics-cert@hq.dhs.gov | 9.8 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | 3.9 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ptc | thingworx_edge_c-sdk | * |
| ptc | thingworx_.net-sdk | * |
| ge | digital_industrial_gateway_server | * |
| ptc | kepware_serverex | * |
| ptc | thingworx_edge_microserver | * |
| ptc | thingworx_kepware_edge | * |
| ptc | kepware_server | * |
| rockwellautomation | kepserver_enterprise | * |
| ptc | thingworx_industrial_connectivity | - |
General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.3 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H | 1.3 | 5.9 |
| ics-cert@hq.dhs.gov | 5.3 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H | 0.6 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | micom_s1_agile | - |
ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7.10. If unable to update at this time customers should ensure they are following the guidance laid out in GE Gas Power's Secure Deployment Guide (GEH-6839). Customers should ensure they are not running ToolboxST as an Administrative user.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| GEPowerCVD@ge.com | 6.4 | MEDIUM | CVSS:3.1/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:H/A:L | 0.6 | 5.3 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | toolboxst | * |
All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 6.6 | MEDIUM | CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H | 1.8 | 4.7 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | * |
GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
| nvd@nist.gov | 7.8 | HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H | 1.8 | 5.9 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | cimplicity | 2023 |
KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| ics-cert@hq.dhs.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
| nvd@nist.gov | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H | 3.9 | 5.2 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | industrial_gateway_server | * |
| softwaretoolbox | top_server | * |
| ptc | keepserverex | * |
| ptc | thingworx_kepware_edge | * |
| ptc | thingworx_kepware_server | * |
| ptc | opc-aggregator | * |
| rockwellautomation | kepserver_enterprise | * |
| ptc | thingworx_industrial_connectivity | - |
KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect.
CVSS 3.x
| Source | Score | Severity | Vector | Exploitability | Impact |
|---|---|---|---|---|---|
| nvd@nist.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
| ics-cert@hq.dhs.gov | 7.5 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N | 3.9 | 3.6 |
Products Affected
| Vendor | Product | Version |
|---|---|---|
| ge | industrial_gateway_server | * |
| softwaretoolbox | top_server | * |
| ptc | keepserverex | * |
| ptc | thingworx_kepware_edge | * |
| ptc | thingworx_kepware_server | * |
| ptc | opc-aggregator | * |
| rockwellautomation | kepserver_enterprise | * |
| ptc | thingworx_industrial_connectivity | - |