PatchSiren cyber security CVE debrief
CVE-2016-9360 Ge CVE debrief
CVE-2016-9360 is a credential exposure issue in several GE Proficy HMI/SCADA products. According to the CVE record, an attacker who already has access to an authenticated session may be able to retrieve user passwords. The affected product ranges listed in NVD are iFIX 5.8 SIM 13 and prior, CIMPLICITY 9.0 and prior, and Historian 6.0 and prior. NVD classifies the issue as CVSS 6.7 (Medium) with CWE-522, and the disclosure date in the record is 2017-02-13.
- Vendor
- Ge
- Product
- CVE-2016-9360
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2017-02-13
- Original CVE updated
- 2026-05-13
- Advisory published
- 2017-02-13
- Advisory updated
- 2026-05-13
Who should care
Administrators and operators of GE Proficy iFIX, CIMPLICITY, and Historian installations, especially environments where authenticated users, shared workstations, or remote access paths could expose live sessions.
Technical summary
NVD maps the issue to CWE-522 and rates it CVSS 3.1 6.7 with vector AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:L/A:L. The impact described in the CVE summary is password retrieval from an authenticated session, so the primary risk is credential disclosure rather than remote unauthenticated compromise. The affected versions listed are iFIX 5.8 SIM 13 and earlier, CIMPLICITY 9.0 and earlier, and Historian 6.0 and earlier.
Defensive priority
Medium priority, but should be treated as higher priority where authenticated access is broadly available or credentials would expose operational systems and adjacent accounts.
Recommended defensive actions
- Review GE/Proficy vendor guidance and the US-CERT/ICS-CERT advisory for remediation steps tied to the affected product versions.
- Upgrade or replace affected GE Proficy iFIX, CIMPLICITY, and Historian versions to vendor-supported fixed releases if available.
- Restrict authenticated access to these systems to only the minimum required users and hosts.
- Minimize shared accounts and rotate credentials that may have been exposed through impacted sessions.
- Audit session handling, access controls, and account hygiene on engineering workstations and HMI/SCADA servers.
- Monitor for unusual authenticated-session activity and investigate any signs that credentials may have been retrieved or reused.
Evidence notes
Source evidence is limited to the provided NVD/CVE record and listed references. The CVE description states that passwords may be retrievable if an attacker has access to an authenticated session. NVD lists affected CPEs for GE iFIX, CIMPLICITY, and Historian with end versions 5.8, 9.0, and 6.0 respectively, and classifies the issue as CWE-522. The CVE was published on 2017-02-13; the NVD record was later modified on 2026-05-13, but that modified date is not the disclosure date.
Official resources
-
CVE-2016-9360 CVE record
CVE.org
-
CVE-2016-9360 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
-
Mitigation or vendor reference
[email protected] - Mitigation, Third Party Advisory, US Government Resource
Publicly disclosed in the CVE/NVD record on 2017-02-13, with a US-CERT/ICS-CERT advisory reference included in the NVD metadata.