Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update C)
Act NowCVSS 7ICS-CERT ICSA-24-184-03Jul 2, 2024
Mitsubishi ElectricICONICSEnergyManufacturing
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
Multiple vulnerabilities (CWE-770, CWE-347, CWE-427, CWE-306, CWE-470) in ICONICS Suite, GENESIS64, GENESIS32, Hyper Historian, AnalytiX, MobileHMI, MC Works64, and BizViz up to and including version 10.97.2. These flaws involve improper resource limits, signature verification failures, untrusted search path issues, missing authentication checks, and improper validation. Successful exploitation could result in denial-of-service, privilege escalation, or arbitrary code execution on HMI and SCADA systems.
What this means
What could happen
Multiple privilege escalation and code execution vulnerabilities in ICONICS and Mitsubishi Electric HMI/SCADA software could allow an attacker with local or network access to run arbitrary commands, potentially disrupting monitoring and control of energy generation, distribution, and manufacturing processes.
Who's at risk
Energy utilities and manufacturing operations using ICONICS Suite, GENESIS64, GENESIS32, Hyper Historian, AnalytiX, MobileHMI, MC Works64, or BizViz for real-time monitoring and control of generators, distribution substations, transmission equipment, and manufacturing processes. This includes all versions up to 10.97.2 of these HMI/SCADA platforms.
How it could be exploited
An attacker with local access to an engineering workstation or HMI server running affected ICONICS/Mitsubishi software could exploit improper privilege management and code validation flaws to escalate privileges and execute arbitrary code on the system. If the HMI is accessible from the network (a common configuration for remote monitoring), exploitation could occur remotely without authentication on some vector combinations.
Prerequisites
- Local or network access to ICONICS Suite, GENESIS64, or related products running version 10.97.2 or earlier
- For some vectors: no authentication required; for others: valid user account on the HMI/engineering workstation
- Affected software must be installed and running on Windows server or workstation
High EPSS score (92.0%)No patch available for versions below 10.97.3Affects all versions of multiple productsLocally exploitable with privilege escalation potentialCould enable arbitrary code execution on SCADA systemsLow complexity exploitation
Exploitability
Likely to be exploited — EPSS score 92.1%
Affected products (15)
12 with fix3 pending
ProductAffected VersionsFix Status
GENESIS32: vers:all/*All versionsNo fix yet
MC Works64: vers:all/*All versionsNo fix yet
ICONICS Suite: 10.97.210.97.210.97.3+
GENESIS64: 10.97.210.97.210.97.3+
GENESIS64: vers:all/*All versions10.97.3+
Hyper Historian: 10.97.210.97.210.97.3+
AnalytiX: 10.97.210.97.210.97.3+
MobileHMI: 10.97.210.97.210.97.3+
Remediation & Mitigation
0/5
Do now
0/3HARDENINGRestrict network access to HMI and SCADA software to engineering workstations and authorized monitoring stations only; disable remote access if not operationally required
HARDENINGImplement strong access controls and least-privilege user accounts on systems running ICONICS/GENESIS software
HARDENINGMonitor affected systems for suspicious local process execution and privilege escalation attempts
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade ICONICS Suite and GENESIS64 to version 10.97.3 or later, or migrate to GENESIS successor product
HOTFIXApply '10.97.2 Critical Fixes Rollup 3' security update from ICONICS Community Portal if immediate upgrade to 10.97.3 is not feasible
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8c248554-fe97-4620-be35-791bdea0e15cGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.