Protect Your GE Digital Proficy iFIX Systems – Critical Vulnerability Discovered

CVECVE-2023-0598
CVSScvssV3_1: 7.8
SourceCVE-2023-0598

GE Digital Proficy iFIX, an HMI/SCADA software used for industrial control systems, has been found to contain a code injection vulnerability that could allow attackers to take full control.

The vulnerability receives a CVSS score of 7.8 out of 10, meaning it is highly critical. Attackers could potentially insert malicious configuration files while the iFIX web server is running. This would enable them to execute arbitrary code and commands with the same privileges as the web server process.

As iFIX is used for human-machine interfaces and supervisory control in industries like manufacturing, oil/gas and utilities, a compromise could disrupt automation processes or even threaten public safety if not addressed.

GE Digital has released updates to address the issue in iFIX versions 2022, 6.1 and 6.5. It is strongly recommended that users of affected versions apply the patches immediately to protect their systems. Regular monitoring of networks and systems for unusual activity is also advised. Updating to the latest versions and keeping software updated is the best way to defend against vulnerabilities over time.

References