ICONICS GENESIS64, GENESIS32
Act Now9.4ICS-CERT ICSA-20-170-03Jun 18, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple vulnerabilities exist in ICONICS software products that allow remote code execution or denial of service. The vulnerabilities involve unsafe deserialization (CWE-502), buffer overflow (CWE-787), and code injection (CWE-94) in GENESIS64, GENESIS32, Hyper Historian, AnalytiX, BizViz, and MobileHMI. Exploitation requires only network access to the affected application; no authentication or user interaction is required. Successful exploitation could allow an attacker to execute arbitrary code, modify process data, alter historical records, or prevent operators from accessing the system.
What this means
What could happen
An attacker could execute arbitrary code on ICONICS HMI and data logging systems, allowing them to modify process parameters, alter historical data, or halt operations. They could also cause denial of service, preventing operators from monitoring or controlling plant equipment.
Who's at risk
Manufacturing facilities using ICONICS visualization and data logging platforms should assess this immediately. Affected products include GENESIS64 (all versions up to 10.96), GENESIS32 (up to 9.5), Hyper Historian (up to 10.96), AnalytiX (up to 10.96), BizViz (up to 9.5), and MobileHMI (up to 10.96). These systems typically serve as the operator interface and historian for production lines, batch processes, and critical infrastructure. Any facility using these products for process monitoring or control is at risk.
How it could be exploited
An attacker with network access to a vulnerable ICONICS application (GENESIS64, GENESIS32, Hyper Historian, AnalytiX, BizViz, or MobileHMI) could send a specially crafted request that exploits unsafe deserialization (CWE-502) or buffer overflow (CWE-787) vulnerabilities to execute arbitrary code on the host system. No user interaction or authentication is required.
Prerequisites
- Network access to the vulnerable ICONICS application port
- Application running an affected version
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh EPSS score (10.2%)no patch available for most products (4 of 6)affects HMI and historian systems
Exploitability
High exploit probability (EPSS 10.2%)
Affected products (6)
2 with fix4 EOL
ProductAffected VersionsFix Status
GENESIS64: v10.96 and prior≤ 10.96v10.96, v10.95.5, or v10.95.2 (patched)
GENESIS32: v9.5 and prior≤ 9.5v9.4 or v9.5 (patched)
AnalytiX: v10.96 and prior≤ 10.96No fix (EOL)
BizViz: v9.5 and prior≤ 9.5No fix (EOL)
MobileHMI: v10.96 and prior≤ 10.96No fix (EOL)
Hyper Historian: v10.96 and prior≤ 10.96No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDFor products without patches available (Hyper Historian, AnalytiX, BizViz, MobileHMI), isolate systems from business network and restrict network access via firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate GENESIS64 to patched version (v10.96, v10.95.5, or v10.95.2 patch)
HOTFIXUpdate GENESIS32 to patched version (v9.4 or v9.5 patch)
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: AnalytiX: v10.96 and prior, BizViz: v9.5 and prior, MobileHMI: v10.96 and prior, Hyper Historian: v10.96 and prior. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate HMI/data logging systems from the Internet and business network
HARDENINGDeploy firewall rules to restrict access to ICONICS applications to only authorized engineering workstations and control system networks
HARDENINGIf remote access to ICONICS systems is required, implement VPN with current security patches and strong authentication
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7f47e399-2ef4-42e9-ad69-f3716af5abdc