cbcvebase.
CVE-2014-0750
published 2014-01-25

CVE-2014-0750: Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24…

PriorityP275high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
70.22%
99.3th percentile
Directory traversal vulnerability in gefebt.exe in the WebView CimWeb components in GE Intelligent Platforms Proficy HMI/SCADA - CIMPLICITY through 8.2 SIM 24, and Proficy Process Systems with CIMPLICITY, allows remote attackers to execute arbitrary code via a crafted HTTP request, aka ZDI-CAN-1622.

Affected

8 ranges
VendorProductVersion rangeFixed in
geintelligent_platforms_proficy_hmi_2fscada_cimplicity<= 8.2
geintelligent_platforms_proficy_hmi_scada_cimplicity
geintelligent_platforms_proficy_hmi_scada_cimplicity
geintelligent_platforms_proficy_hmi_scada_cimplicity
geintelligent_platforms_proficy_hmi_scada_cimplicity
geintelligent_platforms_proficy_hmi_scada_cimplicity
geproficy_hmi_scada_cimplicity>= 4.01 < 8.28.2
geproficy_process_systems_with_cimplicity

Detection & IOCsextracted from sources · hover to see the quote

filenamegefebt.exe
path/CimWeb/gefebt.exe
processgefebt.exe
  • Detect HTTP requests to /CimWeb/gefebt.exe — a successful response with 'Usage.*gefebt\.exe' in the body indicates a vulnerable/exposed endpoint.
  • Monitor for inbound WebDAV PROPFIND and OPTIONS requests to port 80 from the CIMPLICITY server, which indicates the exploit is fetching remote BCL payload files.
  • Alert on HTTP requests to /CimWeb/*.bcl — the exploit fetches remotely-hosted BCL files via UNC/WebDAV paths passed to gefebt.exe to achieve code execution.
  • Monitor for outbound SMB/WebDAV connections originating from the CIMPLICITY CimWebServer process (gefebt.exe) to external hosts, indicating UNC path traversal exploitation.
  • Detect HTTP GET requests to /CimWeb/<random>.exe following BCL execution — this is the final stage where the dropped payload EXE is executed via the WebView server.
  • ·The exploit requires SRVPORT=80 and URIPATH='/' when using the WebDAV delivery method; deviating from these breaks the attack chain.
  • ·If the target host does not have the WebClient service enabled, the attacker must use an external SMB server instead of WebDAV to serve the malicious BCL files.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.