GE Security Vulnerabilities

CVE-2024-1628

OS command injection vulnerabilities in GE HealthCare ultrasound...

CVE-2024-1630

Path traversal vulnerability in “getAllFolderContents” function of Common Service Desktop, a GE HealthCare ultrasound device...

CVE-2024-1486

Elevation of privileges via misconfigured access control list in GE HealthCare ultrasound...

CVE-2024-27109

Insufficiently protected credentials in GE HealthCare EchoPAC...

CVE-2024-1629

Path traversal vulnerability in “deleteFiles” function of Common Service Desktop, a GE HealthCare ultrasound device...

CVE-2024-27107

Weak account password in GE HealthCare EchoPAC...

CVE-2024-27110

Elevation of privilege vulnerability in GE HealthCare EchoPAC...

CVE-2024-27108

Non privileged access to critical file vulnerability in GE HealthCare EchoPAC...

CVE-2024-27106

Vulnerable data in transit in GE HealthCare EchoPAC...

CVE-2023-5909

KEPServerEX does not properly validate certificates from clients which may allow unauthenticated users to...

CVE-2023-5908

KEPServerEX is vulnerable to a buffer overflow which may allow an attacker to crash the product being accessed or leak...

CVE-2020-36548

A vulnerability classified as problematic has been found in GE Voluson S8. Affected is the file /uscgi-bin/users.cgi of the Service Browser. The manipulation leads to improper authentication and elevated access possibilities. It is possible to launch the attack on the local...

CVE-2022-2952

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary...

CVE-2022-2948

GE CIMPICITY versions 2022 and prior is vulnerable to a heap-based buffer overflow, which could allow an attacker to execute arbitrary...

CVE-2022-3084

GE CIMPICITY versions 2022 and prior is vulnerable when data from a faulting address controls code flow starting at gmmiObj!CGmmiRootOptionTable, which could allow an attacker to execute arbitrary...

CVE-2022-3092

GE CIMPICITY versions 2022 and prior is vulnerable to an out-of-bounds write, which could allow an attacker to execute arbitrary...

CVE-2020-36549

A vulnerability classified as critical was found in GE Voluson S8. Affected is the underlying Windows XP operating system. Missing patches might introduce an excessive attack surface. Access to the local network is required for this attack to...

CVE-2022-2002

GE CIMPICITY versions 2022 and prior is vulnerable when data from faulting address controls code flow starting at gmmiObj!CGmmiOptionContainer, which could allow an attacker to execute arbitrary...

CVE-2020-36547

A vulnerability was found in GE Voluson S8. It has been rated as critical. This issue affects the Service Browser which itroduces hard-coded credentials. Attacking locally is a requirement. It is recommended to change the configuration...

CVE-2022-46331

An unauthorized user could possibly delete any file on the...

CVE-2022-46660

An unauthorized user could alter or write files with full control over the path and content of the...

CVE-2022-38469

An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and...

CVE-2023-0598

GE Digital Proficy iFIX 2022, GE Digital Proficy iFIX v6.1, and GE Digital Proficy iFIX v6.5 are vulnerable to code injection, which may allow an attacker to insert malicious configuration files in the expected web server execution path and gain full control of the HMI...

CVE-2022-46732

Even if the authentication fails for local service authentication, the requested command could still execute regardless of authentication...

CVE-2022-43494

An unauthorized user could be able to read any file on the system, potentially exposing sensitive...

CVE-2023-4487

GE CIMPLICITY 2023 is by a process control vulnerability, which could allow a local attacker to insert malicious configuration files in the expected web server execution path to escalate privileges and gain full control of the HMI...

CVE-2023-3463

All versions of GE Digital CIMPLICITY that are not adhering to SDG guidance and accepting documents from untrusted sources are vulnerable to memory corruption issues due to insufficient input validation, including issues such as out-of-bounds reads and writes, use-after-free, stack-based buffer...

CVE-2020-36561

Due to improper path sanitization, archives containing relative file paths can cause files to be written (or overwritten) outside of the target...

CVE-2023-1552

ToolboxST prior to version 7.10 is affected by a deserialization vulnerability. An attacker with local access to an HMI or who has conducted a social engineering attack on an authorized operator could execute code in a Toolbox user's context through the deserialization of an untrusted...

CVE-2022-43975

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. A vulnerability in the web server allows arbitrary files and configurations to be read via directory traversal over TCP port...

CVE-2022-43976

An issue was discovered in FC46-WebBridge on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. Direct access to the API is possible on TCP port 8888 via programs located in the cgi-bin folder without any...

CVE-2022-43977

An issue was discovered on GE Grid Solutions MS3000 devices before 3.7.6.25p0_3.2.2.17p0_4.7p0. The debug port accessible via TCP (a qconn service) lacks access...

CVE-2022-24116

Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before...

CVE-2022-24117

Certain General Electric Renewable Energy products download firmware without an integrity check. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before...

CVE-2022-24119

Certain General Electric Renewable Energy products have a hidden feature for unauthenticated remote access to the device configuration shell. This affects iNET and iNET II before...

CVE-2022-24120

Certain General Electric Renewable Energy products store cleartext credentials in flash memory. This affects iNET and iNET II before...

CVE-2022-24118

Certain General Electric Renewable Energy products allow attackers to use a code to trigger a reboot into the factory default configuration. This affects iNET and iNET II before 8.3.0, SD before 6.4.7, TD220X before 2.0.16, and TD220MAX before...

CVE-2022-37953

An HTTP response splitting vulnerability exists in the AM Gateway Challenge-Response dialog of WorkstationST...

CVE-2022-37952

A reflected cross-site scripting (XSS) vulnerability exists in the iHistorian Data Display of WorkstationST...