Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update E)

MonitorCVSS 6.5ICS-CERT ICSA-25-140-04May 20, 2025

Mitsubishi ElectricICONICSEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the Classic OPC Point Manager service in Mitsubishi Electric GENESIS, GENESIS64, and ICONICS Suite allows a local user to modify information and data files on the target workstation. In GENESIS 11.00, the service is disabled by default and should remain disabled. GENESIS versions 11.01 or later include a fix. GENESIS64 and ICONICS Suite patches are in preparation. MC Works64 and BizViz will not receive fixes.

What this means

What could happen

An attacker with local access to an operator workstation could modify information or data files on that machine, potentially corrupting historian records, configuration files, or logs that are critical to plant operations.

Who's at risk

This affects organizations running Mitsubishi Electric GENESIS or GENESIS64 HMI/SCADA software, as well as ICONICS Suite users. Primarily impacts utility and manufacturing facilities that rely on these workstations for real-time monitoring and historian data collection. MC Works64, BizViz, and ICONICS Suite have no patches planned.

How it could be exploited

An attacker with a local user account on a workstation running GENESIS, GENESIS64, or ICONICS Suite can enable or access the Classic OPC Point Manager service (which manages real-time data connections in GENESIS). Through this service, they can tamper with information on the workstation, affecting the integrity of historical data or operational records.

Prerequisites

Local user account on the target workstation
GENESIS 11.00 with Classic OPC Point Manager enabled
Or GENESIS64/ICONICS Suite with vulnerable version installed

Local access requiredLow attack complexityAffects data integrity of operational recordsMultiple products without planned fixes

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (6)

3 with fix3 EOL

ProductAffected VersionsFix Status

GENESIS32: vers:all/*All versions11.01+

GENESIS64: vers:all/*All versions11.01+

ICONICS Suite: vers:all/*All versionsNo fix (EOL)

MC Works64 vers:all/*All versionsNo fix (EOL)

BizViz: vers:all/*All versionsNo fix (EOL)

GENESIS: 11.0011.0011.01+

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIn GENESIS 11.00, ensure the Classic OPC Point Manager service is disabled (it is disabled by default; do not enable it)

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate GENESIS to version 11.01 or later

HOTFIXUpdate GENESIS64 to the latest patched version when available from Mitsubishi Electric

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: ICONICS Suite: vers:all/*, MC Works64 vers:all/*, BizViz: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict local logon privileges on operator workstations to authorized personnel only

CVEs (1)

CVE-2025-0921

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/71cd0e58-ba0e-403e-8336-79276eaf6894

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.