Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update E)
Monitor6.5ICS-CERT ICSA-25-140-04May 20, 2025
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Insufficient privilege validation in Mitsubishi Electric GENESIS, GENESIS64, ICONICS Suite, MC Works64, and BizViz allows a local user with non-administrative credentials to modify configuration and data files on the engineering workstation. In GENESIS 11.00, the vulnerability is specific to the Classic OPC Point Manager service. Successful exploitation could result in information tampering on the target workstation, including modification of automation logic, process setpoints, or HMI configuration without authorization or audit trail.
What this means
What could happen
An attacker with local workstation access and engineering credentials could modify configuration or data files on the GENESIS HMI/SCADA engineering workstation, potentially altering automation logic or process parameters without audit trail.
Who's at risk
This affects operators and engineers at utilities and industrial facilities running Mitsubishi Electric GENESIS (versions 11.00 and earlier) or ICONICS Suite HMI/SCADA engineering workstations. The vulnerability only matters if Classic OPC Point Manager is enabled (GENESIS 11.00) or for organizations waiting on vendor patches for GENESIS64 and ICONICS Suite versions.
How it could be exploited
An attacker with local access to a GENESIS engineering workstation and valid non-admin credentials could exploit insufficient privilege validation in the Classic OPC Point Manager service (enabled in GENESIS 11.00) to write or modify configuration files that control industrial processes or HMI displays.
Prerequisites
- Local access to the GENESIS engineering workstation
- Valid user-level credentials (non-administrative)
- Classic OPC Point Manager service enabled (GENESIS 11.00 only; disabled by default)
- Write access to workstation file system
No authentication required beyond user-level OS credentialsLow complexity exploitationAffects engineering/control workstationsNo patch available for most affected productsInformation tampering with no audit trail
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (6)
3 with fix3 EOL
ProductAffected VersionsFix Status
GENESIS32: vers:all/*All versions11.01 or later
GENESIS64: vers:all/*All versions11.01 or later
ICONICS Suite: vers:all/*All versionsNo fix (EOL)
MC Works64 vers:all/*All versionsNo fix (EOL)
BizViz: vers:all/*All versionsNo fix (EOL)
GENESIS: 11.0011.0011.01 or later
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDDo not enable the Classic OPC Point Manager service in GENESIS 11.00 (it is disabled by default)
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpgrade GENESIS to version 11.01 or later
HOTFIXMonitor ICONICS partners portal (https://partners.iconics.com) for security patches to GENESIS64 and ICONICS Suite as vendors prepare fixes
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: ICONICS Suite: vers:all/*, MC Works64 vers:all/*, BizViz: vers:all/*. Apply the following compensating controls:
HARDENINGRestrict physical access to GENESIS engineering workstations to authorized personnel only
HARDENINGImplement strong access controls and logging for engineering workstation user accounts to detect unauthorized modification attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/71cd0e58-ba0e-403e-8336-79276eaf6894