CVE-2022-23921

ICSA-22-053-01 GE Proficy CIMPLICITY-IPM

Description

Exploitation of this vulnerability may result in local privilege escalation and code execution. GE maintains exploitation of this vulnerability is only possible if the attacker has login access to a machine actively running CIMPLICITY, the CIMPLICITY server is not already running a project, and the server is licensed for multiple projects.

Remediation

Solution:

  • GE Digital recommends users upgrade all instances of the affected software to GE Digital’s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. The upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited. Users are encouraged to contact a GE Digital representative for the latest versions of the update. For users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY’s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits.

Category

7.5
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.04%
Third-Party Advisory cisa.gov
Affected: General Electric Proficy CIMPLICITY
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-01 third party advisory us government resource

Frequently Asked Questions

What is the severity of CVE-2022-23921?
CVE-2022-23921 has been scored as a high severity vulnerability.
How to fix CVE-2022-23921?
To fix CVE-2022-23921: GE Digital recommends users upgrade all instances of the affected software to GE Digital’s Proficy CIMPLICITY, released January 2022 (Upgrade) and follow the instructions in the Secure Deployment Guide to restrict which CIMPLICITY projects are allowed to run. The upgrade contains what GE believes are mitigation measures to help ensure the vulnerability cannot be exploited. Users are encouraged to contact a GE Digital representative for the latest versions of the update. For users who choose to not implement the upgrade, GE Digital recommends applying the instructions in CIMPLICITY’s Secure Deployment Guide to ensure access to the CIMPLICITY machines and directories are properly controlled via access control limits.
Is CVE-2022-23921 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-23921 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-23921?
CVE-2022-23921 affects General Electric Proficy CIMPLICITY.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.