ICONICS GENESIS64, GENESIS32

Act NowCVSS 9.4ICS-CERT ICSA-20-170-03Jun 18, 2020

ICONICSManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in ICONICS software products that allow remote code execution or denial of service. The vulnerabilities involve unsafe deserialization (CWE-502), buffer overflow (CWE-787), and code injection (CWE-94) in GENESIS64, GENESIS32, Hyper Historian, AnalytiX, BizViz, and MobileHMI. Exploitation requires only network access to the affected application; no authentication or user interaction is required. Successful exploitation could allow an attacker to execute arbitrary code, modify process data, alter historical records, or prevent operators from accessing the system.

What this means

What could happen

An attacker could execute arbitrary code on ICONICS HMI and data logging systems, allowing them to modify process parameters, alter historical data, or halt operations. They could also cause denial of service, preventing operators from monitoring or controlling plant equipment.

Who's at risk

Manufacturing facilities using ICONICS visualization and data logging platforms should assess this immediately. Affected products include GENESIS64 (all versions up to 10.96), GENESIS32 (up to 9.5), Hyper Historian (up to 10.96), AnalytiX (up to 10.96), BizViz (up to 9.5), and MobileHMI (up to 10.96). These systems typically serve as the operator interface and historian for production lines, batch processes, and critical infrastructure. Any facility using these products for process monitoring or control is at risk.

How it could be exploited

An attacker with network access to a vulnerable ICONICS application (GENESIS64, GENESIS32, Hyper Historian, AnalytiX, BizViz, or MobileHMI) could send a specially crafted request that exploits unsafe deserialization (CWE-502) or buffer overflow (CWE-787) vulnerabilities to execute arbitrary code on the host system. No user interaction or authentication is required.

Prerequisites

Network access to the vulnerable ICONICS application port
Application running an affected version
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (10.2%)no patch available for most products (4 of 6)affects HMI and historian systems

Exploitability

Likely to be exploited — EPSS score 10.2%

Affected products (6)

2 with fix4 EOL

ProductAffected VersionsFix Status

GENESIS64: v10.96 and prior≤ 10.96v10.96, v10.95.5, or v10.95.2 (patched)

GENESIS32: v9.5 and prior≤ 9.5v9.4 or v9.5 (patched)

AnalytiX: v10.96 and prior≤ 10.96No fix (EOL)

BizViz: v9.5 and prior≤ 9.5No fix (EOL)

MobileHMI: v10.96 and prior≤ 10.96No fix (EOL)

Hyper Historian: v10.96 and prior≤ 10.96No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDFor products without patches available (Hyper Historian, AnalytiX, BizViz, MobileHMI), isolate systems from business network and restrict network access via firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate GENESIS64 to patched version (v10.96, v10.95.5, or v10.95.2 patch)

HOTFIXUpdate GENESIS32 to patched version (v9.4 or v9.5 patch)

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: AnalytiX: v10.96 and prior, BizViz: v9.5 and prior, MobileHMI: v10.96 and prior, Hyper Historian: v10.96 and prior. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate HMI/data logging systems from the Internet and business network

HARDENINGDeploy firewall rules to restrict access to ICONICS applications to only authorized engineering workstations and control system networks

HARDENINGIf remote access to ICONICS systems is required, implement VPN with current security patches and strong authentication

CVEs (5)

CVE-2020-12011 CVE-2020-12015 CVE-2020-12009 CVE-2020-12013 CVE-2020-12007

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7f47e399-2ef4-42e9-ad69-f3716af5abdc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.