CVE-2023-0598

GE Digital Proficy Code Injection

Description

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software.

Remediation

Solution:

  • GE Digital recommends that users upgrade to Proficy iFIX 2023. GE Digital recommends that any users choosing not to upgrade at this time apply the Simulation Drivers (SIMs) provided below to their earlier GE Digital Proficy iFIX versions (login required): * iFIX 2023 - select “Download Software Updates”: * iFIX 2022 SIM https://digitalsupport.ge.com/s/article/iFIX2022-WebSecurity-001   * iFIX v6.1 SIM https://digitalsupport.ge.com/s/article/iFIX61-WebSecurity-001   * iFIX v6.5 SIM https://digitalsupport.ge.com/s/article/iFIX65-WebSecurity-001  

Workaround:

  • Also, users are strongly advised to refer to the Secure Deployment Guide (SDG) instructions on how to set-up and configure Access Control List (ACLs). The complete SDG can be found here https://digitalsupport.ge.com/s/article/iFIX-Secure-Deployment-Guide .  

Category

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.05%
Third-Party Advisory cisa.gov
Affected: GE Digital Proficy iFIX
Published at:
Updated at:

References

Link Tags
https://www.cisa.gov/news-events/ics-advisories/icsa-23-073-03 third party advisory us government resource
https://digitalsupport.ge.com/s/article/iFIX-Secure-Deployment-Guide?language=en_US permissions required

Frequently Asked Questions

What is the severity of CVE-2023-0598?
CVE-2023-0598 has been scored as a high severity vulnerability.
How to fix CVE-2023-0598?
To fix CVE-2023-0598: GE Digital recommends that users upgrade to Proficy iFIX 2023. GE Digital recommends that any users choosing not to upgrade at this time apply the Simulation Drivers (SIMs) provided below to their earlier GE Digital Proficy iFIX versions (login required): * iFIX 2023 - select “Download Software Updates”: * iFIX 2022 SIM https://digitalsupport.ge.com/s/article/iFIX2022-WebSecurity-001   * iFIX v6.1 SIM https://digitalsupport.ge.com/s/article/iFIX61-WebSecurity-001   * iFIX v6.5 SIM https://digitalsupport.ge.com/s/article/iFIX65-WebSecurity-001  
Is CVE-2023-0598 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-0598 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-0598?
CVE-2023-0598 affects GE Digital Proficy iFIX.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.