What is the most critical vulnerability in this advisory?

The most critical flaw is CVE-2022-33318, which has a CVSS score of 9.8. It is a deserialization vulnerability in GenBrokerX64 that allows remote code execution.

Which Mitsubishi Electric and ICONICS products are affected?

The affected products include GENESIS64, ICONICS Suite, MC Works64, and GENESIS32.

Are there patches available for MC Works64?

No, the vendor has stated there are no plans to release security updates for MC Works64. Users are encouraged to replace it with GENESIS64 or ICONICS Suite.

What is the impact of CVE-2022-29834?

CVE-2022-29834 is a path traversal vulnerability with a CVSS score of 7.5. It allows attackers to access files and directories outside of restricted areas on the server, leading to information disclosure.

How can I mitigate these risks if I cannot update immediately?

You should isolate control system networks behind firewalls, ensure they are not accessible from the internet, and use secure VPNs for any necessary remote access.

Advisory

Mitsubishi Electric and ICONICS Patch Critical Industrial Software Flaws

published: Jan. 16, 2026

Take action: Review the advisory to check if you are using the affected product lines. As usual, make sure all industrial devices are isolated from the internet and accessible from trusted networks only. Then plan a patch cycle. For older products like MC Works64 and GENESIS32 plan a replacement path, they won't be getting a patch.

Learn More

Mitsubishi Electric and ICONICS released security updates to fix several flaws in their industrial automation software. The flaws allow attackers to steal sensitive data, crash industrial systems, or take full control of servers.

Vulnerabilities summary:

CVE-2022-33318 (CVSS score 9.8) - A critical deserialization flaw in GenBrokerX64 that allows remote code execution.
CVE-2022-33319 (CVSS score 8.2) - An out-of-bounds read in GenBrokerX64 that causes data leaks or system crashes.
CVE-2022-33315 (CVSS score 7.8) - Deserialization issues in GraphWorX64 leading to code execution.
CVE-2022-33316 (CVSS score 7.8) - Another deserialization bug in GraphWorX64.
CVE-2022-33317 (CVSS score 7.8) - A flaw in GraphWorX64 scripting that lets attackers run code via project files.
CVE-2022-33320 (CVSS score 7.8) - A bug in how the suite handles XML configuration files.
CVE-2022-29834 (CVSS score 7.5) - A path traversal bug in MobileHMI and IoTWorX that exposes sensitive files.

These vulnerabilities affect GENESIS64, ICONICS Suite, MC Works64, and GENESIS32 products.

Users should update GENESIS64 and ICONICS Suite to version 10.97.1 (Rollup 3) or 10.97 (Rollup 4). Mitsubishi Electric stated they will not release fixes for MC Works64 or GENESIS32. They recommend that users of these older products replace them with newer versions of GENESIS64.

If you can't update right away, isolated your control systems behind firewalls and keep them off the public internet. Use a VPN for remote access and ensure the VPN software is current. Do not open links or email attachments from unknown sources, as these can be used to deliver malicious project files.

Mitsubishi Electric and ICONICS Patch Critical Industrial Software Flaws

Read More
Critical flaws reported in mySCADA myPRO manager and …
Remote code execution flaw reported in DrayTek Vigor …
Critical Vulnerabilities in Lantronix EDS Series Allow Root-Level …
Hubitat Patches Critical Authorization Bypass in Elevation Hubs
Critical authentication bypass vulnerability discovered in multiple India-based …