The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.
Fixes

Solution

GE recommends that asset owners apply product updates to Proficy HMI/SCADA–CIMPLICITY Versions 8.1 and 8.2. The following product updates address the memory access violation vulnerability: Proficy HMI/SCADA – CIMPLICITY 8.1 SIM 29 (DN4219) available at:  http://support.ge-ip.com/support/index?page=dwchannel&id=DN4219 Proficy HMI/SCADA–CIMPLICITY 8.2 SIM 26 (DN4197) available at:  http://support.ge-ip.com/support/index?page=dwchannel&id=DN4197


Workaround

In cases where upgrading is not feasible, GE advises asset owners using CIMPLICITY versions prior to 8.1 to consider using the following recommendations that may mitigate or eliminate the impact of the vulnerability: * Take steps to properly secure and protect stored CIMPLICITY screen files (.CIM). * Avoid using .CIM files received from unknown sources. * Avoid sending unprotected .CIM files over unencrypted networks or public Internet. * Consider using a strong hashing algorithm to validate integrity of created .CIM files and ensure they have not been tampered with over time.

History

Fri, 03 Oct 2025 17:15:00 +0000

Type Values Removed Values Added
Title GE Proficy HMI/SCADA CIMPLICITY CimView
References
Metrics cvssV2_0

{'score': 6.9, 'vector': 'AV:L/AC:M/Au:N/C:C/I:C/A:C'}

cvssV2_0

{'score': 6.6, 'vector': 'AV:L/AC:M/Au:S/C:C/I:C/A:C'}


cve-icon MITRE

Status: PUBLISHED

Assigner: icscert

Published:

Updated: 2025-10-03T17:01:02.978Z

Reserved: 2014-03-13T00:00:00

Link: CVE-2014-2355

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2015-01-17T02:59:00.067

Modified: 2025-10-03T17:15:45.633

Link: CVE-2014-2355

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.