Aggregates CVE and security vulnerability intelligence across all GE-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk path handling, vendor risk input validation, and vendor risk cross-site scripting; exposure may include vendor impact memory corruption in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2023-5909 | KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to connect. | [email protected] | 7.5 | 0.44% | 2023-11-30 | 2024-11-21 |
| CVE-2023-5908 | KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak information. | [email protected] | 9.1 | 0.96% | 2023-11-30 | 2024-11-21 |
| CVE-2023-0898 | General Electric MiCOM S1 Agile is vulnerable to an attacker achieving code execution by placing malicious DLL files in the directory of the application. | [email protected] | 5.3 | 0.26% | 2023-11-07 | 2024-11-21 |
| CVE-2023-4487 | GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI software. | [email protected] | 7.8 | 0.18% | 2023-09-05 | 2024-11-21 |
| CVE-2023-3463 | All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer overflows, uninitialized pointers, and a heap-based buffer overflow. Successful exploitation could allow an attacker to execute arbitrary code. | [email protected] | 6.6 | 0.38% | 2023-07-19 | 2024-11-21 |
| CVE-2023-1552 | ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted configuration file. Two CVSS scores have been provided to capture the differences between the two aforementioned attack vectors. Customers are advised to update to ToolboxST 7.10 which can be found in ControlST 7 | [email protected] | 6.4 | 0.24% | 2023-04-11 | 2024-11-21 |
| CVE-2022-2848 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-16 | [email protected] | 9.1 | 3.37% | 2023-03-29 | 2025-02-18 |
| CVE-2022-2825 | This vulnerability allows remote attackers to execute arbitrary code on affected installations of Kepware KEPServerEX 6.11.718.0. Authentication is not required to exploit this vulnerability. The specific flaw exists within the handling of text encoding conversions. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-1 | [email protected] | 9.8 | 3.40% | 2023-03-29 | 2025-02-18 |
| CVE-2023-0598 | GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI software. | [email protected] | 7.8 | 0.57% | 2023-03-16 | 2024-11-21 |
| CVE-2023-0755 | The affected products are vulnerable to an improper validation of array index, which could allow an attacker to crash the server and remotely execute arbitrary code. | [email protected] | 9.8 | 11.78% | 2023-02-23 | 2024-11-21 |
| CVE-2023-0754 | The affected products are vulnerable to an integer overflow or wraparound, which could allow an attacker to crash the server and remotely execute arbitrary code. | [email protected] | 9.8 | 2.94% | 2023-02-23 | 2024-11-21 |
| CVE-2022-46732 | Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication status. | [email protected] | 9.8 | 0.82% | 2023-01-18 | 2025-01-17 |
| CVE-2022-46660 | An unauthorized user could alter or write files with full control over the path and content of the file. | [email protected] | 7.5 | 0.56% | 2023-01-18 | 2024-11-21 |
| CVE-2022-46331 | An unauthorized user could possibly delete any file on the system. | [email protected] | 7.5 | 0.52% | 2023-01-18 | 2024-11-21 |
| CVE-2022-43494 | An unauthorized user could be able to read any file on the system, potentially exposing sensitive information. | [email protected] | 7.5 | 0.55% | 2023-01-18 | 2024-11-21 |
| CVE-2022-38469 | An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords. | [email protected] | 7.5 | 0.61% | 2023-01-18 | 2024-11-21 |
| CVE-2022-43977 | An issue was discovered on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. The debug port accessible via TCP (a qconn service) lacks access control. | [email protected] | 9.8 | 0.62% | 2023-01-17 | 2025-04-04 |
| CVE-2022-43976 | An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any authentication. | [email protected] | 9.8 | 0.70% | 2023-01-17 | 2025-04-07 |
| CVE-2022-43975 | An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port 8888. | [email protected] | 7.5 | 0.92% | 2023-01-17 | 2025-04-07 |
| CVE-2022-24120 | Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before 8.3.0. | [email protected] | 4.6 | 0.18% | 2022-12-26 | 2025-04-12 |