Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric HMI SCADA (Update B)

Act Now9.8ICS-CERT ICSA-22-020-01Jan 20, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities exist in Mitsubishi Electric ICONICS and Hyper Historian HMI/SCADA software and Mitsubishi Electric MC Works64. These vulnerabilities include cross-site scripting (CWE-79), improper input validation (CWE-184), storage of sensitive information in plaintext (CWE-256), and buffer over-read issues (CWE-126). Successful exploitation could result in unauthorized access to sensitive information, unauthorized changes to GENESIS64 and MC Works64 functionality, or denial of service through SQL Server disabling in GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.

What this means

What could happen

An attacker exploiting these vulnerabilities could access sensitive data from your HMI/SCADA system, modify system settings or process parameters, or crash the SQL Server that stores operational data and historian records, disrupting monitoring and control capabilities.

Who's at risk

Organizations in energy and manufacturing sectors that operate Mitsubishi Electric ICONICS HMI/SCADA systems (including GENESIS64, Hyper Historian, AnalytiX, MobileHMI components) or MC Works64 engineering software should prioritize this advisory. Water utilities, electric utilities, and manufacturing plants using these systems for process monitoring and control are directly affected.

How it could be exploited

An attacker with network access to the HMI/SCADA interface can inject malicious input or code through unvalidated form fields and stored data to trigger cross-site scripting, information disclosure, or denial of service. The vulnerabilities do not require authentication and can be exploited remotely.

Prerequisites

Network access to the ICONICS or Mitsubishi Electric HMI/SCADA application web interface or API
No credentials required for initial exploitation

Remotely exploitableNo authentication requiredLow complexity attackNo patch available for affected versionsAffects critical HMI/SCADA system functionalityMultiple vulnerability types (XSS, plaintext credential storage, buffer over-read)CVSS 9.8 (critical)

Exploitability

Moderate exploit probability (EPSS 2.8%)

Affected products (28)

28 EOL

ProductAffected VersionsFix Status

ICONICS Suite: <=10.96.2≤ 10.96.2No fix (EOL)

GENESIS64: <=10.96.2≤ 10.96.2No fix (EOL)

GENESIS64: >=10.95.3 | <=10.97≥ 10.95.3 | ≤ 10.97No fix (EOL)

Hyper Historian: <=10.96.2≤ 10.96.2No fix (EOL)

Hyper Historian: >=10.95.3 | <=10.97≥ 10.95.3 | ≤ 10.97No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to HMI/SCADA interfaces using firewall rules and network segmentation; limit access to engineering workstations and authorized operator terminals only

HARDENINGDisable unnecessary web interfaces or external connectivity to the HMI/SCADA system if not required for operations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, MobileHMI to patched versions per Mitsubishi Electric Iconics security advisory

HOTFIXUpdate MC Works64 to patched version per Mitsubishi Electric security advisory

HOTFIXUpdate GENESIS32 to patched version per Mitsubishi Electric security advisory

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ICONICS Suite: <=10.96.2, GENESIS64: <=10.96.2, GENESIS64: >=10.95.3 | <=10.97, Hyper Historian: <=10.96.2, Hyper Historian: >=10.95.3 | <=10.97, Hyper Historian: 10.97, AnalytiX: <=10.96.2, AnalytiX: >=10.95.3 | <=10.97, MobileHMI: <=10.96.2, MobileHMI: >=10.95.3 | <=10.97, MC Works64: <=4.04E, MobileHMI: 10.97, ICONICS Suite: >=10.90 | <=10.97, ICONICS Suite: <=10.97, GENESIS64: >=10.90 | <=10.97, GENESIS64: <=10.97, Hyper Historian: >=10.90 | <=10.97, Hyper Historian: <=10.97, AnalytiX: >=10.90 | <=10.97, AnalytiX: <=10.97, MobileHMI: >=10.90 | <=10.97, MobileHMI: <=10.97, MC Works64: >=4.00A | <=4.04E, GENESIS32: <=9.7, ICONICS Suite: >=10.95.3 | <=10.97, ICONICS Suite: 10.97, GENESIS64: 10.97, AnalytiX: 10.97. Apply the following compensating controls:

HARDENINGImplement input validation and output encoding on any custom integrations or interfaces with these systems

CVEs (4)

CVE-2022-23127 CVE-2022-23128 CVE-2022-23129 CVE-2022-23130

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d60bdad4-7df9-4e12-b897-eed1b0193a3e