CVE-2014-0750 - Vulnerability Details - OpenCVE

Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.37562.

Key SSVC decision points have not yet been added.

Vendors	Products
Ge	Intelligent Platforms Proficy Hmi\%2fscada Cimplicity Intelligent Platforms Proficy Hmi\/scada Cimplicity Intelligent Platforms Proficy Process Systems With Cimplicity

Configuration 1 [-]

OR	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\%2fscada_cimplicity::sim24::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:4.01:::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:7.5:::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.0:::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.1:::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:8.2:::::::*
	cpe:2.3:a:ge:intelligent_platforms_proficy_process_systems_with_cimplicity:-:::::::*

No data.

No data.

References

Link	Providers
http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01
http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939
http://www.securityfocus.com/bid/65124
https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01

History

Fri, 22 Aug 2025 23:00:00 +0000

Type	Values Removed	Values Added
Title		GE Proficy HMI/SCADA Path Traversal
References		https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2014-01-25T22:00:00

Updated: 2025-08-22T22:52:23.571Z

Reserved: 2014-01-02T00:00:00

Link: CVE-2014-0750

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2014-01-25T22:55:04.550

Modified: 2025-08-22T23:15:29.763

Link: CVE-2014-0750

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Proficy HMI/SCADA - CIMPLICITY", "vendor": "GE", "versions": [{"lessThan": "8.2", "status": "affected", "version": "4.01", "versionType": "custom"}]}, {"defaultStatus": "unaffected", "product": "Proficy Process Systems with CIMPLICITY", "vendor": "GE", "versions": [{"status": "affected", "version": "all versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI)"}], "datePublic": "2014-01-24T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.</p>"}], "value": "Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622."}], "metrics": [{"cvssV2_0": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "description": "CWE-22", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-08-22T22:52:23.571Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939"}, {"name": "65124", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/65124"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>GE has produced an update that mitigates one vulnerability and made \nconfiguration changes to mitigate the other. Please reference the \nfollowing GE Product Security Advisories for specific information on the\n vulnerabilities.</p>\n<p>GEIP13-05</p>\n<p>To address this vulnerability, all copies of the gefebt.exe files \nthat are accessible from a Web client must be deleted or moved, so they \nare inaccessible. If the production Web configuration currently relies \non gefebt.exe, changes to the server\u2019s Web pages may also be desirable.</p><p>The GE Product Security Advisory, which provides additional guidance, is available here: <a target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939\">http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939</a></p>\n<p>GEIP13-06</p><p>Download Proficy HMI/SCADA - CIMPLICITY 8.2 SIM 24 at: <a target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=dwchannel&id=DN4128\">http://support.ge-ip.com/support/index?page=dwchannel&id=DN4128</a></p><p>The GE Product Security Advisory is available here: <a target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=kbchannel&id=KB15940\">http://support.ge-ip.com/support/index?page=kbchannel&id=KB15940</a></p>\n\n<br>"}], "value": "GE has produced an update that mitigates one vulnerability and made \nconfiguration changes to mitigate the other. Please reference the \nfollowing GE Product Security Advisories for specific information on the\n vulnerabilities.\n\n\nGEIP13-05\n\n\nTo address this vulnerability, all copies of the gefebt.exe files \nthat are accessible from a Web client must be deleted or moved, so they \nare inaccessible. If the production Web configuration currently relies \non gefebt.exe, changes to the server\u2019s Web pages may also be desirable.\n\nThe GE Product Security Advisory, which provides additional guidance, is available here:\u00a0 http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939 \n\n\nGEIP13-06\n\nDownload Proficy HMI/SCADA - CIMPLICITY 8.2 SIM 24 at:\u00a0 http://support.ge-ip.com/support/index?page=dwchannel&id=DN4128 \n\nThe GE Product Security Advisory is available here:\u00a0 http://support.ge-ip.com/support/index?page=kbchannel&id=KB15940"}], "source": {"advisory": "ICSA-14-023-01", "discovery": "EXTERNAL"}, "title": "GE Proficy HMI/SCADA Path Traversal", "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-0750", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01", "refsource": "MISC", "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"}, {"name": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939", "refsource": "CONFIRM", "url": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939"}, {"name": "65124", "refsource": "BID", "url": "http://www.securityfocus.com/bid/65124"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T09:27:19.508Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939"}, {"name": "65124", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/65124"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-0750", "datePublished": "2014-01-25T22:00:00", "dateReserved": "2014-01-02T00:00:00", "dateUpdated": "2025-08-22T22:52:23.571Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\%2fscada_cimplicity:*:sim24:*:*:*:*:*:*", "matchCriteriaId": "4C5EDB9D-01CD-4843-86CD-C834B726ACF1", "versionEndIncluding": "8.2", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:4.01:*:*:*:*:*:*:*", "matchCriteriaId": "6C0B8CA7-2161-4603-B844-DE6C079DF36F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:7.5:*:*:*:*:*:*:*", "matchCriteriaId": "E3BACB11-5CD3-4CA6-9C56-D71628CADF0F", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "90538C50-38BD-4EE5-BD30-96E2E2951FE3", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "CB261867-B9B1-4D3D-B2DE-3CC3164EFD06", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:8.2:*:*:*:*:*:*:*", "matchCriteriaId": "559DCD7A-0745-4D4C-A77A-83240EF6C510", "vulnerable": true}, {"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_process_systems_with_cimplicity:-:*:*:*:*:*:*:*", "matchCriteriaId": "AD9711EA-2C95-41FA-8827-01FCB0ED4B06", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622."}, {"lang": "es", "value": "Vulnerabilidad de recorrido de directorios en gefebt.exe en los componentes WebView CimWeb de GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY hasta 8.2 SIM 24, y Proficy Process Systems with CIMPLICITY, permite a atacantes remotos ejecutar c\u00f3digo de forma arbitraria a trav\u00e9s de una petici\u00f3n HTTP manipulada, tambien conocido como ZDI-CAN-1622."}], "id": "CVE-2014-0750", "lastModified": "2025-08-22T23:15:29.763", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": false}, {"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 7.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2014-01-25T22:55:04.550", "references": [{"source": "ics-cert@hq.dhs.gov", "tags": ["Vendor Advisory"], "url": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939"}, {"source": "ics-cert@hq.dhs.gov", "url": "http://www.securityfocus.com/bid/65124"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["US Government Resource"], "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "http://support.ge-ip.com/support/index?page=kbchannel&id=KB15939"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.securityfocus.com/bid/65124"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-22"}], "source": "nvd@nist.gov", "type": "Secondary"}]}