OTPulse

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)

Plan PatchCVSS 9.8ICS-CERT ICSA-22-020-01Jan 20, 2022
Mitsubishi ElectricICONICSEnergyManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple critical vulnerabilities exist in Mitsubishi Electric ICONICS and Hyper Historian HMI/SCADA software and Mitsubishi Electric MC Works64. These vulnerabilities include cross-site scripting (CWE-79), improper input validation (CWE-184), storage of sensitive information in plaintext (CWE-256), and buffer over-read issues (CWE-126). Successful exploitation could result in unauthorized access to sensitive information, unauthorized changes to GENESIS64 and MC Works64 functionality, or denial of service through SQL Server disabling in GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.

What this means
What could happen
An attacker exploiting these vulnerabilities could access sensitive data from your HMI/SCADA system, modify system settings or process parameters, or crash the SQL Server that stores operational data and historian records, disrupting monitoring and control capabilities.
Who's at risk
Organizations in energy and manufacturing sectors that operate Mitsubishi Electric ICONICS HMI/SCADA systems (including GENESIS64, Hyper Historian, AnalytiX, MobileHMI components) or MC Works64 engineering software should prioritize this advisory. Water utilities, electric utilities, and manufacturing plants using these systems for process monitoring and control are directly affected.
How it could be exploited
An attacker with network access to the HMI/SCADA interface can inject malicious input or code through unvalidated form fields and stored data to trigger cross-site scripting, information disclosure, or denial of service. The vulnerabilities do not require authentication and can be exploited remotely.
Prerequisites
  • Network access to the ICONICS or Mitsubishi Electric HMI/SCADA application web interface or API
  • No credentials required for initial exploitation
Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected versionsAffects critical HMI/SCADA system functionalityMultiple vulnerability types (XSS, plaintext credential storage, buffer over-read)CVSS 9.8 (critical)
Exploitability
Some exploitation risk — EPSS score 2.8%
Affected products (28)
28 EOL
ProductAffected VersionsFix Status
ICONICS Suite: <=10.96.2≤ 10.96.2No fix (EOL)
GENESIS64: <=10.96.2≤ 10.96.2No fix (EOL)
GENESIS64: >=10.95.3 | <=10.97≥ 10.95.3 | ≤ 10.97No fix (EOL)
Hyper Historian: <=10.96.2≤ 10.96.2No fix (EOL)
Hyper Historian: >=10.95.3 | <=10.97≥ 10.95.3 | ≤ 10.97No fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDRestrict network access to HMI/SCADA interfaces using firewall rules and network segmentation; limit access to engineering workstations and authorized operator terminals only
HARDENINGDisable unnecessary web interfaces or external connectivity to the HMI/SCADA system if not required for operations
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, MobileHMI to patched versions per Mitsubishi Electric Iconics security advisory
HOTFIXUpdate MC Works64 to patched version per Mitsubishi Electric security advisory
HOTFIXUpdate GENESIS32 to patched version per Mitsubishi Electric security advisory
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: ICONICS Suite: <=10.96.2, GENESIS64: <=10.96.2, GENESIS64: >=10.95.3 | <=10.97, Hyper Historian: <=10.96.2, Hyper Historian: >=10.95.3 | <=10.97, Hyper Historian: 10.97, AnalytiX: <=10.96.2, AnalytiX: >=10.95.3 | <=10.97, MobileHMI: <=10.96.2, MobileHMI: >=10.95.3 | <=10.97, MC Works64: <=4.04E, MobileHMI: 10.97, ICONICS Suite: >=10.90 | <=10.97, ICONICS Suite: <=10.97, GENESIS64: >=10.90 | <=10.97, GENESIS64: <=10.97, Hyper Historian: >=10.90 | <=10.97, Hyper Historian: <=10.97, AnalytiX: >=10.90 | <=10.97, AnalytiX: <=10.97, MobileHMI: >=10.90 | <=10.97, MobileHMI: <=10.97, MC Works64: >=4.00A | <=4.04E, GENESIS32: <=9.7, ICONICS Suite: >=10.95.3 | <=10.97, ICONICS Suite: 10.97, GENESIS64: 10.97, AnalytiX: 10.97. Apply the following compensating controls:
HARDENINGImplement input validation and output encoding on any custom integrations or interfaces with these systems
View full CISA ICS-CERT advisory
API: /api/v1/advisories/d60bdad4-7df9-4e12-b897-eed1b0193a3e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B) | CVSS 9.8 - OTPulse