ICONICS and Mitsubishi Electric Products
Monitor6.3ICS-CERT ICSA-22-347-01Dec 13, 2022
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A path traversal vulnerability in ICONICS Product Suite (versions 10.96 through 10.97.2) and Mitsubishi Electric products allows an attacker to write arbitrary files. Exploitation requires local access and user interaction—an attacker must trick a user into unpacking a malicious Pack&Go package file. The vulnerability affects the file extraction mechanism in the Workbench UI and can be exploited when files are unpacked using relative paths.
What this means
What could happen
An attacker could write arbitrary files to the system by tricking a user into unpacking a malicious Pack&Go file, potentially overwriting critical ICONICS configuration files, PLC programs, or system binaries. This could alter process setpoints, disable safety interlocks, or disrupt engineering workstation functionality.
Who's at risk
Energy sector operators using ICONICS Product Suite (versions 10.96–10.97.2) for HMI, SCADA, or control system visualization. This affects engineering workstations and any machine where Pack&Go packages are unpacked. Mitsubishi Electric customers using affected components should also review their deployments. Risk is highest where engineering staff handle files from external sources or where workstations lack file integrity monitoring.
How it could be exploited
An attacker crafts a malicious Pack&Go package with a path traversal payload (directory traversal sequences in filenames). The attacker delivers this file to an engineering workstation user via email or social engineering. When the user unpacks the package using a relative path in the Workbench UI, the malicious files are written to arbitrary locations on the system, potentially overwriting legitimate ICONICS application files or configuration data.
Prerequisites
- Local access to the engineering workstation running ICONICS Workbench
- User must unpack a malicious Pack&Go file using a relative path
- User interaction required—attacker cannot force unpacking remotely
- Affected ICONICS Product Suite versions 10.96 through 10.97.2 must be installed
No patch available (end-of-life product)Requires user interaction (social engineering vector)Affects engineering workstations (lateral movement risk to control network)Path traversal flaw (can overwrite system files)Low exploit complexity
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
ICONICS Product Suite:≥ 10.96 | ≤ 10.97.2No fix (EOL)
ICONICS Product Suite: note: ICONICS≥ v10.96 | < v10.97.2No fix (EOL)
Remediation & Mitigation
0/7
Do now
0/3WORKAROUNDDo not unpack Pack&Go files from untrusted sources; only unpack files received from verified, trusted sources
HARDENINGWhen unpacking Pack&Go packages in ICONICS Workbench, always use an absolute path (not a relative path) to specify the destination directory
HARDENINGProtect and encrypt Pack&Go packages with passwords to prevent unauthorized modification before unpacking
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGIsolate ICONICS engineering workstations on a separate network segment from untrusted hosts and the internet; implement firewall rules to prevent direct access from external networks
HARDENINGEducate engineering staff not to open or unpack Pack&Go files received via email or from untrusted sources; implement email filtering to block potentially malicious attachments
Long-term hardening
0/1HOTFIXPlan migration to a patched or supported version of ICONICS software; contact ICONICS for guidance on upgrade paths or extended support options
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: ICONICS Product Suite:, ICONICS Product Suite: note: ICONICS. Apply the following compensating controls:
HARDENINGMonitor engineering workstations for unexpected file modifications in ICONICS installation directories and configuration folders
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b66b5407-da98-4c7a-b0a2-240924791f2e