ICONICS and Mitsubishi Electric Products

Act NowCVSS 5.9ICS-CERT ICSA-23-229-01Aug 17, 2023

Mitsubishi ElectricICONICSEnergyManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities in ICONICS Suite 10.97.2 (including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI) and related Mitsubishi Electric products. Vulnerabilities include buffer overflows (CWE-120, CWE-125), information disclosure (CWE-208, CWE-415), and null pointer dereference (CWE-476). These can lead to information disclosure, denial-of-service, or remote code execution via the BACnet/SC protocol or other attack vectors. CVSS 5.9, no known public exploitation at time of advisory.

What this means

What could happen

An attacker could stop or disrupt HMI and data historian operations, or potentially execute commands on ICONICS systems, affecting real-time monitoring and control of energy and manufacturing processes.

Who's at risk

Energy utilities and manufacturing facilities using ICONICS Suite (including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI) for supervisory control, real-time monitoring, and data collection. This impacts operators who rely on these HMI and historian platforms to manage critical processes.

How it could be exploited

An attacker with network access to a vulnerable ICONICS Suite system could exploit buffer overflow, information disclosure, or denial-of-service vulnerabilities in the BACnet/SC protocol implementation to cause a crash or gain code execution on the HMI or historian server.

Prerequisites

Network access to ICONICS Suite system running version 10.97.2 without Critical Fixes Rollup 2
BACnet/SC protocol enabled (for some vulnerabilities)
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityhigh EPSS score (83.2%)affects monitoring and control systemsBACnet protocol enabled increases risk

Exploitability

Likely to be exploited — EPSS score 83.5%

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI: 10.97.210.97.2No fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDDisable BACnet/SC feature on production systems until patch is applied

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXApply ICONICS Suite 10.97.2 Critical Fixes Rollup 2 or later

HOTFIXMonitor ICONICS security advisories and apply patches as released

Long-term hardening

0/2

HARDENINGEnsure ICONICS Suite systems are not directly accessible from the Internet

HARDENINGIsolate ICONICS Suite systems from business networks using firewalls

CVEs (6)

CVE-2022-4450 CVE-2022-3602 CVE-2022-3786 CVE-2022-4203 CVE-2022-4304 CVE-2023-0401

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54dc3a02-4514-4240-a905-1cfc767bcb0b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.