{"api_version":"1","generated_at":"2026-04-23T05:59:06+00:00","cve":"CVE-2022-21798","urls":{"html":"https://cve.report/CVE-2022-21798","api":"https://cve.report/api/cve/CVE-2022-21798.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2022-21798","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2022-21798"},"summary":{"title":"CVE-2022-21798","description":"The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system.","state":"PUBLIC","assigner":"ics-cert@hq.dhs.gov","published_at":"2022-02-25 19:15:00","updated_at":"2022-03-08 15:38:00"},"problem_types":["CWE-319"],"metrics":[],"references":[{"url":"https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02","name":"https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02","refsource":"MISC","tags":[],"title":"GE Proficy CIMPLICITY-Cleartext | CISA","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2022-21798","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-21798","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"LEGACY","value":"Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA","lang":""}],"nvd_cpes":[{"cve_year":"2022","cve_id":"21798","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"ge","cpe5":"cimplicity","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2022-21798","qid":"591234","title":"GE Proficy CIMPLICITY Sensitive Information Disclosure Vulnerability (ICSA-22-053-02)"}]},"source_records":{"cve_program":{"CVE_data_meta":{"ASSIGNER":"ics-cert@hq.dhs.gov","DATE_PUBLIC":"2022-02-22T23:08:00.000Z","ID":"CVE-2022-21798","STATE":"PUBLIC","TITLE":"ICSA-22-053-02 GE Proficy CIMPLICITY-Cleartext"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Proficy CIMPLICITY","version":{"version_data":[{"version_affected":"=","version_name":"all","version_value":"all"}]}}]},"vendor_name":"General Electric"}]}},"credit":[{"lang":"eng","value":"Yuval Ardon and Roman Dvorkin of OTORIO reported this vulnerability to CISA"}],"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"The affected product is vulnerable due to cleartext transmission of credentials seen in the CIMPLICITY network, which can be easily spoofed and used to log in to make operational changes to the system."}]},"generator":{"engine":"Vulnogram 0.0.9"},"impact":{"cvss":{"attackComplexity":"HIGH","attackVector":"ADJACENT_NETWORK","availabilityImpact":"HIGH","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H","version":"3.1"}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-319 Cleartext Transmission of Sensitive Information"}]}]},"references":{"reference_data":[{"refsource":"MISC","url":"https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02","name":"https://www.cisa.gov/uscert/ics/advisories/icsa-22-053-02"}]},"solution":[{"lang":"eng","value":"Users are advised to refer to the Secure Deployment Guide on how to configure communication encryption.\n\nUsers are encouraged to review the CIMPLICITY Windows Hardening Guide and Recommendations for further IPSEC configuration guidance found in the section titled “Appendix A IPSEC Configuration.”\n\nUsers are encouraged to contact a GE representative to obtain the latest versions of CIMPLICITY."}],"source":{"discovery":"UNKNOWN"}},"nvd":{"publishedDate":"2022-02-25 19:15:00","lastModifiedDate":"2022-03-08 15:38:00","problem_types":["CWE-319"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH","baseScore":9.8,"baseSeverity":"CRITICAL"},"exploitabilityScore":3.9,"impactScore":5.9},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:N/C:P/I:P/A:P","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"NONE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"PARTIAL","baseScore":7.5},"severity":"HIGH","exploitabilityScore":10,"impactScore":6.4,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:ge:cimplicity:*:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2022","CveId":"21798","Ordinal":"227274","Title":"CVE-2022-21798","CVE":"CVE-2022-21798","Year":"2022"},"notes":[{"CveYear":"2022","CveId":"21798","Ordinal":"1","NoteData":"** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.","Type":"Description","Title":null}]}}}