IM
IronMonkey Threat Research
‹ Back to ICS Advisories

Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products (Update E)

HIGH
CVSS 7.0
Date 2026-06-04T06:00:00+00:00
Source cisa-csaf
Published by CISA

// Description

Successful exploitation of these vulnerabilities could result in denial-of-service, improper privilege management, or potentially arbitrary code execution.

// Vulnerabilities (5)

CVE ID CVSS Score Severity Description
CVE-2024-1182 7.0 high
When the affected products are installed with the Pager agent in the multi-agent notification feature, an arbitrary code execution vulnerability due to uncontrolled search path element exists in the feature. This vulnerability allows a local attacker to execute an arbitrary code by storing a specially crafted DLL in a specific folder.
CVE-2024-1574 6.7 medium
An arbitrary code execution vulnerability due to use of externally-controlled input to select classes or code ('unsafe reflection') exists in the licensing feature of the affected products. This vulnerability allows a local attacker to execute an arbitrary code with administrative privileges by tampering with a specific file that is not protected by the system.
CVE-2023-2650 3.7 low
When the BACnet Secure Connect feature is enabled in the affected products, a temporary denial-of-service vulnerability due to allocation of resources without limits or throttling exists in the OpenSSL library integrated into the products, during data validation. This vulnerability allows a remote attacker to cause a denial-of-service condition on the affected products by sending a certificate that contains a specially crafted ANS 1 OBJECT IDENTIFIER.
CVE-2023-4807 5.9 medium
When running on X86_64 CPUs supporting AVX512-IFMA instructions and the BACnet Secure Connect feature is enabled in the affected products, a denial-of-service vulnerability due to improper verification of cryptographic signature exists in the Message Authentication Code (MAC) implementation in OpenSSL library integrated into the products. This vulnerability allows a remote attacker to cause a denial-of-service condition on the affected products by sending messages that contain specially crafted Message Authentication Code (MAC).
CVE-2024-1573 5.9 medium
An authentication bypass vulnerability due to missing authentication for critical function exists in the mobile monitoring feature of the affected products when all of the following conditions are met: * Active Directory is used in the security setting. * "Automatic log in" option is enabled in the security setting. * The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. * The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONCIS Suite, Hyper Historian, AnalytiX, MobileHMI, IoTWorX, and MC Works64 Security and has permission to log in. This vulnerability allows a remote unauthenticated attacker to bypass proper authentication and log in to the system.

// Affected Products (83)

Vendor Product Asset Type Purdue Level Firmware
Mitsubishi Electric Unknown historian
L3
10.97.2
Mitsubishi Electric Iconics Digital Solutions Unknown scada_server
L2
10.97.2
Mitsubishi Electric Unknown scada_server
L2
10.97.2
Mitsubishi Electric Iconics Digital Solutions Unknown historian
L3
10.97.2
Mitsubishi Electric Unknown hmi
L2
10.97.2
Mitsubishi Electric Iconics Digital Solutions Unknown hmi
L2
10.97.2
Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric Unknown hmi
L2
10.97.2
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown plc
L1
--
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Siemens Unknown network_device -- --
Mitsubishi Electric Iconics Digital Solutions, Mitsubishi Electric Unknown hmi
L2
--

// Remediations (44)

Mitigation: For users of GENESIS64, ICONICS Suite, and Hyper Historian that do not have a fixed version, Mitsubi
For users of GENESIS64, ICONICS Suite, and Hyper Historian that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing from custom installing this feature unless you specifically need it. The affected feature, the multi-agent notification feature, is no longer the part of the default installation for GENESIS64, ICONICS Suite, and Hyper Historian Version 10.97.3 and later. For users of GENESIS32 and MC Works64 that do not have a fixed version, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing from installing the multi-agent notification feature.
Mitigation: For users of products that do not have a fixed version or who cannot immediately update the product,
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend ensuring that at least one of the following four conditions in the security settings of GENESIS64, ICONICS Suite, Hyper Historian, AnalytiX, MobileHMI, IoTWorX, and MC Works64 is not met. (1) Active Directory is used in the security setting. (2) "Automatic log in"option is enabled in the security setting (3) The IcoAnyGlass IIS application pool is running under an Active Directory Domain Account. (4) The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONCIS Suite, Hyper Historian, AnalytiX, MobileHMI, IoTWorX, and MC Works64 Security and has permission to log in.
Patch: Mitsubishi Electric is releasing fixed version 10.97.3 or later for IoTWorX. Please download the fix
Mitsubishi Electric is releasing fixed version 10.97.3 or later for IoTWorX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/a375a000004qDU8AAM/iotworx". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
Mitigation: For users of products that do not have a fixed version or who cannot immediately update the product,
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing the user from clicking on web links in e-mails or other messages from untrusted sources, or from opening attachments in untrusted e-mails, to minimize the risk of exploiting this vulnerability.
Patch: Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for GENESI
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnalytiX, and MobileHMI. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
Patch: Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for IoTWor
Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.97.3 or later for IoTWorX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/a375a000004qDU8AAM/iotworx". For more information, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities. The latest white papers can be found at "https://iconics.com/About/Security/CERT".
Mitigation: For users of products that do not have a fixed version or who cannot immediately update the product,
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.
Mitigation: For users of products that do not have a fixed version or who cannot immediately update the product,
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend preventing the user from clicking on web links in e-mails or other messages from untrusted sources, or from opening attachments in untrusted e-mails, to minimize the risk of exploiting this vulnerability.
Mitigation: For users of products that do not have a fixed version or who cannot immediately update the product,
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric recommend restricting physical access to the personal computer where the product is installed and the network to which the personal computer is connected to prevent unauthorized contact, to minimize the risk of exploiting this vulnerability.
Patch: Mitsubishi Electric is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper
Mitsubishi Electric is releasing fixed version 10.97.3 or later for GENESIS64, ICONICS Suite, Hyper Historian, AnalytiX, and MobileHMI. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/iconics-software/ICONICS_Software__c/00BQQ000008P51V2AS?ICONICS_Software__c-filterId=Product_Version_10_97_3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2024-004_en.pdf".
Patch: Update to V4.5 or later version
Update to V4.5 or later version
Mitigation: Update steps:
Update steps:
Patch: CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT4: Version "06" or later
CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT4: Version "06" or later
Mitigation: Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of
Mitsubishi Electric recommends that customers take the following mitigations to minimize the risk of exploiting this vulnerability:
Mitigation: Use the products within a LAN and block access from untrusted networks and hosts.
Use the products within a LAN and block access from untrusted networks and hosts.
Patch: CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT8F2: Version "06" or later
CC-Link IE TSN Industrial Managed Switch NZ2MHG-TSNT8F2: Version "06" or later
Mitigation: When internet access is required, use a virtual private network (VPN) or other means to prevent unau
When internet access is required, use a virtual private network (VPN) or other means to prevent unauthorized access.
Mitigation: For additional information see Mitsubishi Electric advisory 2024-002
For additional information see Mitsubishi Electric advisory 2024-002
Mitigation: Contact your local Mitsubishi Electric representative to obtain the fixed firmware version file for
Contact your local Mitsubishi Electric representative to obtain the fixed firmware version file for CC-Link IE TSN Industrial Managed Switch.
Mitigation: Fixed versions:
Fixed versions:
Patch: After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change user name and pa
After you log into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, change user name and password from default setting at [Account Management] displayed on the function menu. Also, set the proper access permissions for the users.
Mitigation: Restrict physical access to the product and your computer and network equipment on the same network.
Restrict physical access to the product and your computer and network equipment on the same network.
Patch: After logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, update the firmware to
After logging into NZ2MHG-TSNT8F2 or NZ2MHG-TSNT4 through the web interface, update the firmware to the fixed firmware version file mentioned in the above 1 by the function of [System] -> [System Management] -> [Firmware Upgrade] from Function menu. For the detailed procedures, please refer to "CC-Link IE TSN Industrial Managed Switch User's Manual (SH-082449ENG)".
Mitigation: Mitsubishi Electric recommends users to update to the fixed versions by following the steps below.
Mitsubishi Electric recommends users to update to the fixed versions by following the steps below.
Patch: Update to V2.0 SP1 or later version
Update to V2.0 SP1 or later version
Mitigation: Only build and run applications from trusted sources.
Only build and run applications from trusted sources.
Patch: Update to V3.1.5 or later version
Update to V3.1.5 or later version
Mitigation: Secure the Windows Server, where the RTLS Locating Manager is installed on, with a firewall and make
Secure the Windows Server, where the RTLS Locating Manager is installed on, with a firewall and make sure no ports are accessible from untrusted networks
Patch: Update to V3.0.1.1 or later version The update is available from Siemens Online Software Delivery (O
Update to V3.0.1.1 or later version The update is available from Siemens Online Software Delivery (OSD).
Mitigation: Install required RTLS Locating Manager components on a single host computer where possible and ensur
Install required RTLS Locating Manager components on a single host computer where possible and ensure only trusted persons have access to the system
Mitigation: Apply security hardening of the Windows Server, where the RTLS Locating Manager is installed on, in
Apply security hardening of the Windows Server, where the RTLS Locating Manager is installed on, in accordance with your corporate security policies or up-to-date hardening guidelines
Mitigation: MELSOFT VIXIO: Install Version 1.04E or later.
MELSOFT VIXIO: Install Version 1.04E or later.
Mitigation: Use the products within a control system, and protect the network and devices in the control system
Use the products within a control system, and protect the network and devices in the control system with a firewall to block access from untrusted networks and hosts.
Mitigation: Mitsubishi Electric recommends users install the fixed version below and update the software:
Mitsubishi Electric recommends users install the fixed version below and update the software:
Mitigation: Mitsubishi Electric recommends users take the following mitigations to minimize the risk of exploiti
Mitsubishi Electric recommends users take the following mitigations to minimize the risk of exploiting this vulnerability:
Mitigation: Restrict physical access to the PC on which the product is installed and the network to which the PC
Restrict physical access to the PC on which the product is installed and the network to which the PC is connected to prevent unauthorized access.
Mitigation: MELSOFT MaiLab: Install Version 1.06G or later.
MELSOFT MaiLab: Install Version 1.06G or later.
Mitigation: For specific update instructions and additional details see the Mitsubishi Electric advisory.
For specific update instructions and additional details see the Mitsubishi Electric advisory.
Mitigation: Do not click on web links in emails or other messages from untrusted sources. Also, do not open atta
Do not click on web links in emails or other messages from untrusted sources. Also, do not open attachments from untrusted emails.
Mitigation: For information about how to install the fixed version, please contact a local Mitsubishi Electric r
For information about how to install the fixed version, please contact a local Mitsubishi Electric representative.
Mitigation: When Internet access is required, use a firewall or a virtual private network (VPN) to prevent unaut
When Internet access is required, use a firewall or a virtual private network (VPN) to prevent unauthorized access.
Patch: Update to V3.0 SP1 or later version
Update to V3.0 SP1 or later version
Patch: Update to V1.0 SP2 Update 3 or later version
Update to V1.0 SP2 Update 3 or later version
Patch: Update to V4.0.700 or later version
Update to V4.0.700 or later version

// References