CVE-2014-0750 (GCVE-0-2014-0750)

Vulnerability from cvelistv5 – Published: 2014-01-25 22:00 – Updated: 2025-08-22 22:52
VLAI?
Summary
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.
Severity ?
No CVSS data available.
CWE
Assigner
References
Impacted products
Vendor Product Version
GE Proficy HMI/SCADA - CIMPLICITY Affected: 4.01 , < 8.2 (custom)
Create a notification for this product.
Credits
amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI)
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T09:27:19.508Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939"
          },
          {
            "name": "65124",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/65124"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Proficy HMI/SCADA - CIMPLICITY",
          "vendor": "GE",
          "versions": [
            {
              "lessThan": "8.2",
              "status": "affected",
              "version": "4.01",
              "versionType": "custom"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "Proficy Process Systems with CIMPLICITY",
          "vendor": "GE",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "amisto0x07 and Z0mb1E of Zero Day Initiative (ZDI)"
        }
      ],
      "datePublic": "2014-01-24T07:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eDirectory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.\u003c/p\u003e"
            }
          ],
          "value": "Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622."
        }
      ],
      "metrics": [
        {
          "cvssV2_0": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-22T22:52:23.571Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939"
        },
        {
          "name": "65124",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/65124"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eGE has produced an update that mitigates one vulnerability and made \nconfiguration changes to mitigate the other. Please reference the \nfollowing GE Product Security Advisories for specific information on the\n vulnerabilities.\u003c/p\u003e\n\u003cp\u003eGEIP13-05\u003c/p\u003e\n\u003cp\u003eTo address this vulnerability, all copies of the gefebt.exe files \nthat are accessible from a Web client must be deleted or moved, so they \nare inaccessible. If the production Web configuration currently relies \non gefebt.exe, changes to the server\u2019s Web pages may also be desirable.\u003c/p\u003e\u003cp\u003eThe GE Product Security Advisory, which provides additional guidance, is available here:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=kbchannel\u0026amp;id=KB15939\"\u003ehttp://support.ge-ip.com/support/index?page=kbchannel\u0026amp;id=KB15939\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003eGEIP13-06\u003c/p\u003e\u003cp\u003eDownload Proficy HMI/SCADA - CIMPLICITY 8.2 SIM 24 at:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=dwchannel\u0026amp;id=DN4128\"\u003ehttp://support.ge-ip.com/support/index?page=dwchannel\u0026amp;id=DN4128\u003c/a\u003e\u003c/p\u003e\u003cp\u003eThe GE Product Security Advisory is available here:\u0026nbsp;\u003ca target=\"_blank\" rel=\"nofollow\" href=\"http://support.ge-ip.com/support/index?page=kbchannel\u0026amp;id=KB15940\"\u003ehttp://support.ge-ip.com/support/index?page=kbchannel\u0026amp;id=KB15940\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "GE has produced an update that mitigates one vulnerability and made \nconfiguration changes to mitigate the other. Please reference the \nfollowing GE Product Security Advisories for specific information on the\n vulnerabilities.\n\n\nGEIP13-05\n\n\nTo address this vulnerability, all copies of the gefebt.exe files \nthat are accessible from a Web client must be deleted or moved, so they \nare inaccessible. If the production Web configuration currently relies \non gefebt.exe, changes to the server\u2019s Web pages may also be desirable.\n\nThe GE Product Security Advisory, which provides additional guidance, is available here:\u00a0 http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939 \n\n\nGEIP13-06\n\nDownload Proficy HMI/SCADA - CIMPLICITY 8.2 SIM 24 at:\u00a0 http://support.ge-ip.com/support/index?page=dwchannel\u0026id=DN4128 \n\nThe GE Product Security Advisory is available here:\u00a0 http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15940"
        }
      ],
      "source": {
        "advisory": "ICSA-14-023-01",
        "discovery": "EXTERNAL"
      },
      "title": "GE Proficy HMI/SCADA Path Traversal",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "ics-cert@hq.dhs.gov",
          "ID": "CVE-2014-0750",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01",
              "refsource": "MISC",
              "url": "http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01"
            },
            {
              "name": "http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939",
              "refsource": "CONFIRM",
              "url": "http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939"
            },
            {
              "name": "65124",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/65124"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2014-0750",
    "datePublished": "2014-01-25T22:00:00",
    "dateReserved": "2014-01-02T00:00:00",
    "dateUpdated": "2025-08-22T22:52:23.571Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "fkie_nvd": {
      "configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\%2fscada_cimplicity:*:sim24:*:*:*:*:*:*\", \"versionEndIncluding\": \"8.2\", \"matchCriteriaId\": \"4C5EDB9D-01CD-4843-86CD-C834B726ACF1\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:4.01:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6C0B8CA7-2161-4603-B844-DE6C079DF36F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:7.5:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E3BACB11-5CD3-4CA6-9C56-D71628CADF0F\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"90538C50-38BD-4EE5-BD30-96E2E2951FE3\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"CB261867-B9B1-4D3D-B2DE-3CC3164EFD06\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"559DCD7A-0745-4D4C-A77A-83240EF6C510\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:ge:intelligent_platforms_proficy_process_systems_with_cimplicity:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"AD9711EA-2C95-41FA-8827-01FCB0ED4B06\"}]}]}]",
      "descriptions": "[{\"lang\": \"en\", \"value\": \"Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.\"}, {\"lang\": \"es\", \"value\": \"Vulnerabilidad de recorrido de directorios en gefebt.exe en los componentes WebView CimWeb de GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY hasta 8.2 SIM 24, y Proficy Process Systems with CIMPLICITY, permite a atacantes remotos ejecutar c\\u00f3digo de forma arbitraria a trav\\u00e9s de una petici\\u00f3n HTTP manipulada, tambien conocido como ZDI-CAN-1622.\"}]",
      "id": "CVE-2014-0750",
      "lastModified": "2024-11-21T02:02:44.483",
      "metrics": "{\"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:N/AC:L/Au:N/C:P/I:P/A:P\", \"baseScore\": 7.5, \"accessVector\": \"NETWORK\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"PARTIAL\", \"integrityImpact\": \"PARTIAL\", \"availabilityImpact\": \"PARTIAL\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 10.0, \"impactScore\": 6.4, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}",
      "published": "2014-01-25T22:55:04.550",
      "references": "[{\"url\": \"http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939\", \"source\": \"ics-cert@hq.dhs.gov\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/65124\", \"source\": \"ics-cert@hq.dhs.gov\"}, {\"url\": \"http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"US Government Resource\"]}, {\"url\": \"http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://www.securityfocus.com/bid/65124\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}]",
      "sourceIdentifier": "ics-cert@hq.dhs.gov",
      "vulnStatus": "Modified",
      "weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-22\"}]}]"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2014-0750\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2014-01-25T22:55:04.550\",\"lastModified\":\"2025-08-22T23:15:29.763\",\"vulnStatus\":\"Deferred\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.\"},{\"lang\":\"es\",\"value\":\"Vulnerabilidad de recorrido de directorios en gefebt.exe en los componentes WebView CimWeb de GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY hasta 8.2 SIM 24, y Proficy Process Systems with CIMPLICITY, permite a atacantes remotos ejecutar c\u00f3digo de forma arbitraria a trav\u00e9s de una petici\u00f3n HTTP manipulada, tambien conocido como ZDI-CAN-1622.\"}],\"metrics\":{\"cvssMetricV2\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:N/AC:L/Au:N/C:P/I:P/A:P\",\"baseScore\":7.5,\"accessVector\":\"NETWORK\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"PARTIAL\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":10.0,\"impactScore\":6.4,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\%2fscada_cimplicity:*:sim24:*:*:*:*:*:*\",\"versionEndIncluding\":\"8.2\",\"matchCriteriaId\":\"4C5EDB9D-01CD-4843-86CD-C834B726ACF1\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:4.01:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6C0B8CA7-2161-4603-B844-DE6C079DF36F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:7.5:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E3BACB11-5CD3-4CA6-9C56-D71628CADF0F\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"90538C50-38BD-4EE5-BD30-96E2E2951FE3\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"CB261867-B9B1-4D3D-B2DE-3CC3164EFD06\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_hmi\\\\/scada_cimplicity:8.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"559DCD7A-0745-4D4C-A77A-83240EF6C510\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:ge:intelligent_platforms_proficy_process_systems_with_cimplicity:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"AD9711EA-2C95-41FA-8827-01FCB0ED4B06\"}]}]}],\"references\":[{\"url\":\"http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939\",\"source\":\"ics-cert@hq.dhs.gov\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/65124\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-14-023-01\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"US Government Resource\"]},{\"url\":\"http://support.ge-ip.com/support/index?page=kbchannel\u0026id=KB15939\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://www.securityfocus.com/bid/65124\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.