Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update B)
Plan PatchCVSS 7.8ICS-CERT ICSA-24-338-04Dec 3, 2024
Mitsubishi ElectricICONICSEnergy
Attack path
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Mitsubishi Electric ICONICS GENESIS64/Suite, AlarmWorX64 MMX, and MC Works64 contain vulnerabilities (CVE-2024-8299, CVE-2024-9852) in untrusted library loading and code deserialization that allow local privilege escalation and arbitrary code execution. GENESIS64 and ICONICS Suite versions prior to 10.97.3 are affected. GENESIS32 (all versions) and MC Works64 (all versions) will not receive fixes; GENESIS32 is end-of-life. Exploitation requires local system access but could allow an attacker to modify process parameters, disable safety functions, or shut down operations.
What this means
What could happen
An attacker with local access to these HMI/SCADA software applications could execute arbitrary code, potentially allowing manipulation of process parameters, alarms, or system shutdown.
Who's at risk
Organizations running Mitsubishi Electric ICONICS HMI/SCADA software (GENESIS64, GENESIS32, AlarmWorX64 MMX, MC Works64) or Mitsubishi Electric MC Works64 engineering software in energy, water, manufacturing, or utility environments should assess their installed versions and apply updates or mitigations immediately.
How it could be exploited
An attacker with local system access or ability to place malicious code on the device (e.g., via USB, shared folder, or supply-chain compromise) could trigger code execution through vulnerabilities in untrusted library loading or insecure deserialization mechanisms within GENESIS64, ICONICS Suite, or MC Works64.
Prerequisites
- Local system access or ability to execute code on the same machine running GENESIS64, ICONICS Suite, AlarmWorX64 MMX, or MC Works64
- Affected versions: GENESIS64/ICONICS Suite prior to 10.97.3; GENESIS32 all versions; MC Works64 all versions
local access required but can be escalated through supply-chain or insider threataffects HMI systems that control process logicno patch available for GENESIS32 (end-of-life product)no patch available for MC Works64CVSS 7.8 (high severity) for code execution
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (6)
4 with fix2 EOL
ProductAffected VersionsFix Status
GENESIS64 and ICONICS Suite AlarmWorX Multimedia (AlarmWorX64 MMX): vers:all/*All versions10.97.3
GENESIS64 and ICONICS Suite: 10.97.2|10.97.2|CFR1|10.97.2|CFR2|10.97.310.97.2|10.97.2 CFR1|10.97.2 CFR2|10.97.310.97.3
GENESIS64 and ICONICS Suite: 10.97.2|10.97.2_CFR1|10.97.2_CFR2|10.97.310.97.2|10.97.2 CFR1|10.97.2 CFR2|10.97.310.97.3
GENESIS32: vers:all/*All versionsNo fix (EOL)
GENESIS64 and ICONICS Suite AlarmWorX Multimedia (AlarmWorX64 MMX): vers:all/*All versions10.97.3
MC Works64: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDFor MC Works64: Implement compensating controls per Mitsubishi Electric security advisory at https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-010_en.pdf since no fix is planned
HARDENINGRestrict local system access and administrative privileges to HMI/SCADA workstations; limit USB and removable media access
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
GENESIS64 and ICONICS Suite AlarmWorX Multimedia (AlarmWorX64 MMX): vers:all/*
HOTFIXUpdate AlarmWorX64 MMX to version 10.97.3 or later
All products
HOTFIXUpdate GENESIS64 and ICONICS Suite to version 10.97.3 or later
HARDENINGReview and implement mitigations from ICONICS Whitepaper on Security Vulnerabilities (November 2024) at https://iconics.com/About/Security/CERT
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: GENESIS32: vers:all/*, MC Works64: vers:all/*. Apply the following compensating controls:
HARDENINGPlan migration of GENESIS32 to GENESIS V11, as GENESIS32 (Version 9) is end-of-life and will not receive security patches
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/46f29dff-a297-400b-b083-f999c45a092fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.