Mitsubishi Electric patches critical SCADA and HMI vulnerabilities
Take action: Make sure all Mitsubishi Electric and ICONICS Digital Solutions devices are isolated from the internet and accessible from trusted networks only. Update to GENESIS64 version 10.97.1 immediately and all other systems which have patches. Since GENESIS32 is retired and won't be patched, use strict network isolation and plan a replacement.
Learn More
Mitsubishi Electric and ICONICS Digital Solutions updated a report on security holes in their HMI and SCADA software. Attackers could use these flaws to break into systems, steal data, or shut down SQL servers.
Vulnerabilities summary:
- CVE-2022-23128 (CVSS score 9.8) - Security bypass in FrameWorX Server via WebSocket endpoints. Attackers can bypass security by opening a communication channel through WebSocket endpoints on ports 80 or 443. This allows them to take over the GENESIS64 or MC Works64 platforms without needing credentials.
- CVE-2022-23129 (CVSS score 7.7) - Plaintext password exposure when exporting GridWorX configurations to CSV files.
- CVE-2022-23130 (CVSS score 5.9) - Buffer over-read in the SQL query engine that can disable the SQL Server.
- CVE-2022-23127 (CVSS score 4.2) - Cross-site scripting (XSS) in MobileHMI due to poor input checks.
These issues affect the ICONICS Suite, including Hyper Historian and AnalytiX, and Mitsubishi Electric MC Works64.
The GENESIS32 platform is vulnerable to the SQL crash bug. Since these systems manage critical manufacturing, a breach could stop factory lines or damage hardware.
Mitsubishi Electric released patches for most affected products. Users should upgrade to GENESIS64 version 10.97.1 or later. The company will not patch GENESIS32 because it is retired. Operators should use firewalls and keep these systems off the public internet or set them up on physically separate networks.
