CVE-2014-2355 - Vulnerability Details - OpenCVE

The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Local

Access Complexity Medium

Authentication Single

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Ge	Intelligent Platforms Proficy Hmi\/scada Cimplicity

Configuration 1 [-]

cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\/scada_cimplicity:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
https://ics-cert.us-cert.gov/advisories/ICSA-14-289-02
https://www.cisa.gov/news-events/ics-advisories/icsa-14-289-02

History

Fri, 03 Oct 2025 17:15:00 +0000

Type	Values Removed	Values Added
Title		GE Proficy HMI/SCADA CIMPLICITY CimView
References		https://www.cisa.gov/news-events/ics-advisories/icsa-14-289-02
Metrics	cvssV2_0 `{'score': 6.9, 'vector': 'AV:L/AC:M/Au:N/C:C/I:C/A:C'}`	cvssV2_0 `{'score': 6.6, 'vector': 'AV:L/AC:M/Au:S/C:C/I:C/A:C'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2015-01-17T02:00:00

Updated: 2025-10-03T17:01:02.978Z

Reserved: 2014-03-13T00:00:00

Link: CVE-2014-2355

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2015-01-17T02:59:00.067

Modified: 2025-10-03T17:15:45.633

Link: CVE-2014-2355

Redhat

No data.

{"containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Proficy HMI/SCADA\u2013CIMPLICITY", "vendor": "GE", "versions": [{"lessThanOrEqual": "8.2", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Said Arfi"}], "datePublic": "2015-01-13T07:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file.</p>"}], "value": "The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file."}], "metrics": [{"cvssV2_0": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-119", "description": "CWE-119", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-10-03T17:01:02.978Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-289-02"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>GE recommends that asset owners apply product updates to Proficy \nHMI/SCADA\u2013CIMPLICITY Versions 8.1 and 8.2. The following product updates\n address the memory access violation vulnerability:</p><p>Proficy HMI/SCADA \u2013 CIMPLICITY 8.1 SIM 29 (DN4219) available at: <a target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=dwchannel&id=DN4219\">http://support.ge-ip.com/support/index?page=dwchannel&id=DN4219</a></p><p>Proficy HMI/SCADA\u2013CIMPLICITY 8.2 SIM 26 (DN4197) available at: <a target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=dwchannel&id=DN4197\">http://support.ge-ip.com/support/index?page=dwchannel&id=DN4197</a></p>\n\n<br>"}], "value": "GE recommends that asset owners apply product updates to Proficy \nHMI/SCADA\u2013CIMPLICITY Versions 8.1 and 8.2. The following product updates\n address the memory access violation vulnerability:\n\nProficy HMI/SCADA \u2013 CIMPLICITY 8.1 SIM 29 (DN4219) available at:\u00a0 http://support.ge-ip.com/support/index?page=dwchannel&id=DN4219 \n\nProficy HMI/SCADA\u2013CIMPLICITY 8.2 SIM 26 (DN4197) available at:\u00a0 http://support.ge-ip.com/support/index?page=dwchannel&id=DN4197"}], "source": {"advisory": "ICSA-14-289-02", "discovery": "EXTERNAL"}, "title": "GE Proficy HMI/SCADA CIMPLICITY CimView", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "<p>In cases where upgrading is not feasible, GE advises asset owners \nusing CIMPLICITY versions prior to 8.1 to consider using the following \nrecommendations that may mitigate or eliminate the impact of the \nvulnerability:</p>\n<ul>\n<li>Take steps to properly secure and protect stored CIMPLICITY screen files (.CIM).</li>\n<li>Avoid using .CIM files received from unknown sources.</li>\n<li>Avoid sending unprotected .CIM files over unencrypted networks or public Internet.</li>\n<li>Consider using a strong hashing algorithm to validate integrity of \ncreated .CIM files and ensure they have not been tampered with over \ntime.</li>\n</ul>\n\n<br>"}], "value": "In cases where upgrading is not feasible, GE advises asset owners \nusing CIMPLICITY versions prior to 8.1 to consider using the following \nrecommendations that may mitigate or eliminate the impact of the \nvulnerability:\n\n\n\n * Take steps to properly secure and protect stored CIMPLICITY screen files (.CIM).\n\n * Avoid using .CIM files received from unknown sources.\n\n * Avoid sending unprotected .CIM files over unencrypted networks or public Internet.\n\n * Consider using a strong hashing algorithm to validate integrity of \ncreated .CIM files and ensure they have not been tampered with over \ntime."}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "ics-cert@hq.dhs.gov", "ID": "CVE-2014-2355", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://ics-cert.us-cert.gov/advisories/ICSA-14-289-02", "refsource": "MISC", "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-289-02"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T10:14:25.389Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-289-02"}]}]}, "cveMetadata": {"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "assignerShortName": "icscert", "cveId": "CVE-2014-2355", "datePublished": "2015-01-17T02:00:00", "dateReserved": "2014-03-13T00:00:00", "dateUpdated": "2025-10-03T17:01:02.978Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\/scada_cimplicity:*:*:*:*:*:*:*:*", "matchCriteriaId": "05C547A7-08D0-475E-BD24-57CC3DF2F89E", "versionEndIncluding": "8.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The (1) CimView and (2) CimEdit components in GE Proficy HMI/SCADA-CIMPLICITY 8.2 and earlier allow remote attackers to gain privileges via a crafted CIMPLICITY screen (aka .CIM) file."}, {"lang": "es", "value": "Los componentes (1) CimView y (2) CimEdit en GE Proficy HMI/SCADA-CIMPLICITY 8.2 y anteriores permiten a atacantes remotos ganar privilegios a trav\u00e9s de un fichero de pantalla CIMPLICITY manipulado (tambi\u00e9n conocido como .CIM)."}], "id": "CVE-2014-2355", "lastModified": "2025-10-03T17:15:45.633", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 2.7, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "ics-cert@hq.dhs.gov", "type": "Secondary", "userInteractionRequired": true}, {"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.9, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.4, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": true}]}, "published": "2015-01-17T02:59:00.067", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-289-02"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "US Government Resource"], "url": "https://ics-cert.us-cert.gov/advisories/ICSA-14-289-02"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-119"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-119"}], "source": "nvd@nist.gov", "type": "Secondary"}]}