The advisory highlights multiple vulnerabilities in ICONICS and Mitsubishi Electric products, including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI. These vulnerabilities, if exploited, can result in denial of service, improper privilege management, or even remote code execution. Affected versions include ICONICS Suite Version 10.97.2 and below, as well as AlarmWorX64 MMX and MobileHMI versions prior to 10.97.3.
The vulnerabilities identified include the allocation of resources without limits, improper neutralization of code, uncontrolled search path elements, improper authentication, and unsafe reflection. These flaws are particularly risky as they can allow denial of service or unauthorized privilege escalation in the affected systems. Exploiting them remotely is possible, but it requires a high level of complexity.
ICONICS recommends users update to Version 10.97.3 to address these vulnerabilities. Mitigations such as following security guidelines from the ICONICS Whitepaper and applying the latest security patches are advised. Both ICONICS and Mitsubishi Electric are rolling out critical updates and security patches to fix these issues.
CISA advises further defensive measures, such as minimizing network exposure, using firewalls, and adopting secure remote access methods like VPNs. They also recommend following best cybersecurity practices to protect against potential exploitation. At this time, no public reports of exploitation for these vulnerabilities have been made.
