Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2022-33320 (GCVE-0-2022-33320)
Vulnerability from cvelistv5 – Published: 2022-07-20 16:56 – Updated: 2026-01-09 05:16
VLAI?
EPSS
Summary
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.
Severity ?
7.8 (High)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.mitsubishielectric.com/en/psirt/vulne… | vendor-advisory |
| https://jvn.jp/vu/JVNVU96480474/index.html | government-resource |
| https://www.cisa.gov/news-events/ics-advisories/i… | government-resource |
Impacted products
5 products
| Vendor | Product | Version | |
|---|---|---|---|
| Mitsubishi Electric | GENESIS64 |
Affected:
Versions 10.97 to 10.97.1
|
|
| Mitsubishi Electric Iconics Digital Solutions | GENESIS64 |
Affected:
Versions 10.97 to 10.97.1
|
|
| Mitsubishi Electric | ICONICS Suite |
Affected:
Versions 10.97 to 10.97.1
|
|
| Mitsubishi Electric Iconics Digital Solutions | ICONICS Suite |
Affected:
Versions 10.97 to 10.97.1
|
|
| Mitsubishi Electric | MC Works64 |
Affected:
Versions 4.04E and prior
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T08:09:21.319Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "GENESIS64",
"vendor": "Mitsubishi Electric",
"versions": [
{
"status": "affected",
"version": "Versions 10.97 to 10.97.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "GENESIS64",
"vendor": "Mitsubishi Electric Iconics Digital Solutions",
"versions": [
{
"status": "affected",
"version": "Versions 10.97 to 10.97.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICONICS Suite",
"vendor": "Mitsubishi Electric",
"versions": [
{
"status": "affected",
"version": "Versions 10.97 to 10.97.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "ICONICS Suite",
"vendor": "Mitsubishi Electric Iconics Digital Solutions",
"versions": [
{
"status": "affected",
"version": "Versions 10.97 to 10.97.1"
}
]
},
{
"defaultStatus": "unaffected",
"product": "MC Works64",
"vendor": "Mitsubishi Electric",
"versions": [
{
"status": "affected",
"version": "Versions 4.04E and prior"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
}
],
"value": "Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-09T05:16:27.798Z",
"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"shortName": "Mitsubishi"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"tags": [
"government-resource"
],
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
},
{
"tags": [
"government-resource"
],
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
}
],
"source": {
"discovery": "UNKNOWN"
},
"x_generator": {
"engine": "Vulnogram 0.5.0"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-33320",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ICONICS GENESIS64; Mitsubishi Electric MC Works64",
"version": {
"version_data": [
{
"version_value": "ICONICS GENESIS64 versions 10.97.1 and prior"
},
{
"version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf",
"refsource": "MISC",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"name": "https://jvn.jp/vu/JVNVU96480474/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad",
"assignerShortName": "Mitsubishi",
"cveId": "CVE-2022-33320",
"datePublished": "2022-07-20T16:56:24.000Z",
"dateReserved": "2022-06-14T00:00:00.000Z",
"dateUpdated": "2026-01-09T05:16:27.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2022-33320",
"date": "2026-05-11",
"epss": "0.00111",
"percentile": "0.28943"
},
"fkie_nvd": {
"configurations": "[{\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:iconics:genesis64:10.97:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"44D3F652-C916-4395-BD11-AECDDF960D45\"}, {\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:iconics:genesis64:10.97.1:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"6D89798E-910C-4C3F-9385-D9B7CA921091\"}]}]}, {\"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*\", \"versionEndIncluding\": \"10.95.210.01\", \"matchCriteriaId\": \"F44C63DD-663E-4505-8586-D4BCAB01AF73\"}]}]}]",
"descriptions": "[{\"lang\": \"en\", \"value\": \"Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.\"}, {\"lang\": \"es\", \"value\": \"Una vulnerabilidad de Deserializaci\\u00f3n de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un c\\u00f3digo malicioso arbitrario al conllevar a un usuario a cargar un archivo de configuraci\\u00f3n de proyecto que incluye c\\u00f3digos XML maliciosos\"}]",
"id": "CVE-2022-33320",
"lastModified": "2024-11-21T07:08:10.487",
"metrics": "{\"cvssMetricV31\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.1\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"NONE\", \"userInteraction\": \"REQUIRED\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}]}",
"published": "2022-07-20T17:15:08.397",
"references": "[{\"url\": \"https://jvn.jp/vu/JVNVU96480474/index.html\", \"source\": \"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf\", \"source\": \"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://jvn.jp/vu/JVNVU96480474/index.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}, {\"url\": \"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Third Party Advisory\"]}]",
"sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"vulnStatus": "Modified",
"weaknesses": "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-502\"}]}]"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2022-33320\",\"sourceIdentifier\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"published\":\"2022-07-20T17:15:08.397\",\"lastModified\":\"2026-01-09T06:16:00.577\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.\"},{\"lang\":\"es\",\"value\":\"Una vulnerabilidad de Deserializaci\u00f3n de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un c\u00f3digo malicioso arbitrario al conllevar a un usuario a cargar un archivo de configuraci\u00f3n de proyecto que incluye c\u00f3digos XML maliciosos\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-502\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:iconics:genesis64:10.97:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"44D3F652-C916-4395-BD11-AECDDF960D45\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:iconics:genesis64:10.97.1:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"6D89798E-910C-4C3F-9385-D9B7CA921091\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"10.95.210.01\",\"matchCriteriaId\":\"F44C63DD-663E-4505-8586-D4BCAB01AF73\"}]}]}],\"references\":[{\"url\":\"https://jvn.jp/vu/JVNVU96480474/index.html\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\"},{\"url\":\"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf\",\"source\":\"Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://jvn.jp/vu/JVNVU96480474/index.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Third Party Advisory\"]}]}}"
}
}
ICSA-22-202-04
Vulnerability from csaf_cisa - Published: 2022-07-26 06:00 - Updated: 2026-02-24 07:00Summary
ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update C)
Notes
Legal Notice and Terms of Use: This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Advisory Conversion Disclaimer: This ICSA is a verbatim republication of CISA ICSA-22-202-04 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact CISA directly for any questions regarding this advisory.
Critical infrastructure sectors: Critical Manufacturing
Countries/areas deployed: Worldwide
Company headquarters location: Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.
Recommended Practices: CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.
Recommended Practices: Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.
Recommended Practices: Locate control system networks and remote devices behind firewalls and isolate them from business networks.
Recommended Practices: When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.
Recommended Practices: CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices: CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices: CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
7.5 (High)
Affected products
Known affected
4 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
7.8 (High)
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
7.8 (High)
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
7.8 (High)
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
9.8 (Critical)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric GENESIS32: <=9.7
Mitsubishi Electric / GENESIS32
|
<=9.7 |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS32: <=9.7
Mitsubishi Electric Iconics Digital Solutions / GENESIS32
|
<=9.7 |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
8.2 (High)
Affected products
Known affected
7 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric GENESIS32: <=9.7
Mitsubishi Electric / GENESIS32
|
<=9.7 |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS32: <=9.7
Mitsubishi Electric Iconics Digital Solutions / GENESIS32
|
<=9.7 |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
7.8 (High)
Affected products
Known affected
5 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
|
Mitsubishi Electric GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric MC Works64: <=4.04E
Mitsubishi Electric / MC Works64
|
<=4.04E |
Vendor Fix
fix
No Fix Planned
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions GENESIS64: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / GENESIS64
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
|
|
Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: >=10.97|<=10.97.1
Mitsubishi Electric Iconics Digital Solutions / ICONICS Suite
|
>=10.97|<=10.97.1 |
Vendor Fix
fix
Vendor Fix
fix
Vendor Fix
fix
Mitigation
Mitigation
|
References
23 references
Acknowledgments
Trend Micro Zero Day Initiative
Steven Seeley
Alex Birmberg
Ben McBride
Axel '0vercl0k'
Souchet
Claroty Research
Chris Anastasio
Noam Moshe
{
"document": {
"acknowledgments": [
{
"names": [
"Steven Seeley",
"Alex Birmberg",
"Ben McBride",
"Axel \u00270vercl0k\u0027",
"Souchet"
],
"organization": "Trend Micro Zero Day Initiative",
"summary": "reported these vulnerabilities to CISA"
},
{
"names": [
"Chris Anastasio",
"Noam Moshe"
],
"organization": "Claroty Research",
"summary": "reported these vulnerabilities to CISA"
}
],
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Disclosure is not limited",
"tlp": {
"label": "WHITE",
"url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
}
},
"lang": "en-US",
"notes": [
{
"category": "legal_disclaimer",
"text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
"title": "Legal Notice and Terms of Use"
},
{
"category": "other",
"text": "This ICSA is a verbatim republication of CISA ICSA-22-202-04 from a direct conversion of the vendor\u0027s Common Security Advisory Framework (CSAF) advisory. This is republished to CISA\u0027s website as a means of increasing visibility and is provided \"as-is\" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact CISA directly for any questions regarding this advisory.",
"title": "Advisory Conversion Disclaimer"
},
{
"category": "other",
"text": "Critical Manufacturing",
"title": "Critical infrastructure sectors"
},
{
"category": "other",
"text": "Worldwide",
"title": "Countries/areas deployed"
},
{
"category": "other",
"text": "Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan.",
"title": "Company headquarters location"
},
{
"category": "general",
"text": "CISA recommends users take defensive measures to minimize the exploitation risk of this vulnerability.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Locate control system networks and remote devices behind firewalls and isolate them from business networks.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
"title": "Recommended Practices"
},
{
"category": "general",
"text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
"title": "Recommended Practices"
}
],
"publisher": {
"category": "other",
"contact_details": "central@cisa.dhs.gov",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"references": [
{
"category": "self",
"summary": "ICS Advisory ICSA-22-202-04 JSON",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2022/icsa-22-202-04.json"
},
{
"category": "self",
"summary": "ICS Advisory ICSA-22-202-04 - Web Version",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/topics/industrial-control-systems"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
},
{
"category": "external",
"summary": "Recommended Practices",
"url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
}
],
"title": "ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update C)",
"tracking": {
"current_release_date": "2026-02-24T07:00:00.000000Z",
"generator": {
"date": "2026-02-23T20:48:04.673707Z",
"engine": {
"name": "CISA CSAF Generator",
"version": "1.5.0"
}
},
"id": "ICSA-22-202-04",
"initial_release_date": "2022-07-26T06:00:00.000000Z",
"revision_history": [
{
"date": "2022-07-26T06:00:00.000000Z",
"legacy_version": "Initial",
"number": "1",
"summary": "Initial Republication of Mitsubishi Electric Advisory."
},
{
"date": "2025-07-24T06:00:00.000000Z",
"legacy_version": "Additional Release 1",
"number": "2",
"summary": "Update A - Updates to affected vendors, products and versions, CVE score, and mitigations."
},
{
"date": "2026-01-15T07:00:00.000000Z",
"legacy_version": "Additional Release 2",
"number": "3",
"summary": "Update B - Updates to affected products and mitigations."
},
{
"date": "2026-02-24T00:00:00.000000Z",
"legacy_version": "Additional Release 3",
"number": "4",
"summary": "Update C - Corrected CVE descriptions and updates to remediations."
}
],
"status": "final",
"version": "4"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.97|\u003c=10.97.1",
"product": {
"name": "Mitsubishi Electric GENESIS64: \u003e=10.97|\u003c=10.97.1",
"product_id": "CSAFPID-0001"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.97|\u003c=10.97.1",
"product": {
"name": "Mitsubishi Electric ICONICS Suite: \u003e=10.97|\u003c=10.97.1",
"product_id": "CSAFPID-0002"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=4.04E",
"product": {
"name": "Mitsubishi Electric MC Works64: \u003c=4.04E",
"product_id": "CSAFPID-0003"
}
}
],
"category": "product_name",
"name": "MC Works64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=9.7",
"product": {
"name": "Mitsubishi Electric GENESIS32: \u003c=9.7",
"product_id": "CSAFPID-0004"
}
}
],
"category": "product_name",
"name": "GENESIS32"
}
],
"category": "vendor",
"name": "Mitsubishi Electric"
},
{
"branches": [
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.97|\u003c=10.97.1",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS64: \u003e=10.97|\u003c=10.97.1",
"product_id": "CSAFPID-0005"
}
}
],
"category": "product_name",
"name": "GENESIS64"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003e=10.97|\u003c=10.97.1",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: \u003e=10.97|\u003c=10.97.1",
"product_id": "CSAFPID-0006"
}
}
],
"category": "product_name",
"name": "ICONICS Suite"
},
{
"branches": [
{
"category": "product_version_range",
"name": "\u003c=9.7",
"product": {
"name": "Mitsubishi Electric Iconics Digital Solutions GENESIS32: \u003c=9.7",
"product_id": "CSAFPID-0007"
}
}
],
"category": "product_name",
"name": "GENESIS32"
}
],
"category": "vendor",
"name": "Mitsubishi Electric Iconics Digital Solutions"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2022-29834",
"cwe": {
"id": "CWE-22",
"name": "Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)"
},
"notes": [
{
"category": "summary",
"text": "An information disclosure vulnerability due to Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027) exists in the mobile monitoring function of Mitsubishi Electric GENESIS64 and ICONICS Suite, and Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite. An attacker may be able to access to arbitrary files in the GENESIS64 or ICONICS Suite server and disclose information stored in the files by embedding a malicious URL parameter in the URL of the monitoring screen delivered to the GENESIS64 or ICONICS Suite mobile monitoring application and access the monitoring screen.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:Y/T:P/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-29834"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/22.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources, and avoiding opening attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.5,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
]
},
{
"cve": "CVE-2022-33315",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "summary",
"text": "A remote code execution vulnerability due to Deserialization of Untrusted Data (CWE-502) exists in the graphic monitoring function of Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64, and Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite. An attacker may be able to execute an arbitrary malicious code by leading a legitimate user to load a monitoring screen file including malicious XAML codes.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33315"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources, and avoiding opening attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
]
},
{
"cve": "CVE-2022-33316",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "summary",
"text": "A remote code execution vulnerability due to Deserialization of Untrusted Data (CWE-502) exists in the graphic monitoring function of Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64, and Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite. An attacker may be able to execute an arbitrary malicious code by leading a legitimate user to load a monitoring screen file including malicious XAML codes.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33316"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources, and avoiding opening attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
]
},
{
"cve": "CVE-2022-33317",
"cwe": {
"id": "CWE-829",
"name": "Inclusion of Functionality from Untrusted Control Sphere"
},
"notes": [
{
"category": "summary",
"text": "A remote code execution vulnerability due to Inclusion of Functionality from Untrusted Control Sphere (CWE-829) exists in the graphic monitoring function of Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64, and Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite. An attacker may be able to execute an arbitrary malicious code by leading a legitimate user to load a monitoring screen file including malicious script codes.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33317"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/829.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources. Also, do not open attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
]
},
{
"cve": "CVE-2022-33318",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "summary",
"text": "A remote code execution vulnerability due to Deserialization of Untrusted Data (CWE-502) exists in the communication function of Mitsubishi Electric GENESIS64, ICONICS Suite, MC Works64, and GENESIS32, and Mitsubishi Electric Iconics Digital Solutions GENESIS64, ICONICS Suite, and GENESIS32. An attacker may be able to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64, ICONICS Suite, MC Works64, or GENESIS32 server.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:Y/T:T/2026-02-12T00:00:00.000Z",
"title": "SSCV"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33318"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for GENESIS32. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0007"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources. Also, do not open attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
}
]
},
{
"cve": "CVE-2022-33319",
"cwe": {
"id": "CWE-125",
"name": "Out-of-bounds Read"
},
"notes": [
{
"category": "summary",
"text": "An information disclosure and Denial of Service (DoS) vulnerability due to Out-of-bounds Read (CWE-125) exists in the communication function of Mitsubishi Electric GENESIS64, ICONICS Suite, MC Works64, and GENESIS32, and Mitsubishi Electric Iconics Digital Solutions GENESIS64, ICONICS Suite, and GENESIS32. An attacker may be able to disclose information on memory or cause a Denial of Service (DoS) condition by sending specially crafted packets to the GENESIS64, ICONICS Suite, MC Works64, or GENESIS32 server.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:P/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33319"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/125.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for GENESIS32. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0004",
"CSAFPID-0007"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources. Also, do not open attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0004",
"CSAFPID-0005",
"CSAFPID-0006",
"CSAFPID-0007"
]
}
]
},
{
"cve": "CVE-2022-33320",
"cwe": {
"id": "CWE-502",
"name": "Deserialization of Untrusted Data"
},
"notes": [
{
"category": "summary",
"text": "A remote code execution vulnerability due to Deserialization of Untrusted Data (CWE-502) exists in the project management function of Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64, and Mitsubishi Electric Iconics Digital Solutions GENESIS64 and ICONICS Suite. An attacker may be able to execute an arbitrary malicious code by leading a legitimate user to load a project configuration file including malicious XML codes.",
"title": "Vulnerability Summary"
},
{
"category": "details",
"text": "SSVCv2/E:N/A:N/T:T/2026-02-12T00:00:00.000Z",
"title": "SSVC"
}
],
"product_status": {
"known_affected": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
"references": [
{
"category": "external",
"summary": "www.cve.org",
"url": "https://www.cve.org/CVERecord?id=CVE-2022-33320"
},
{
"category": "external",
"summary": "cwe.mitre.org",
"url": "https://cwe.mitre.org/data/definitions/502.html"
},
{
"category": "external",
"summary": "www.first.org",
"url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97.1, please download and update to \"10.97.1 Critical Fixes Rollup 3\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003WwejAAC/10971-critical-fixes-rollup-3"
},
{
"category": "vendor_fix",
"details": "For Users using GENESIS64 and ICONICS Suite Version 10.97, please download and update to \"10.97 Critical Fixes Rollup 4\" from the ICONICS Community Portal (https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4), a web site operated by ICONICS. To download it, you need to create an account on this site and then enter a Support WorX Plan Number described in \"SupportWorX License Information\", which is shipped with the product.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconicsinc.my.site.com/community/s/software-update/a355a000003O4zLAAS/1097-critical-fixes-rollup-4"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on Mitsubishi Electric\u0027s security advisory.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "vendor_fix",
"details": "Additional information and useful links are found on the ICONICS GENESIS64 security updates page.",
"product_ids": [
"CSAFPID-0005",
"CSAFPID-0006"
],
"url": "https://iconics.com/en-us/About/Security/CERT"
},
{
"category": "no_fix_planned",
"details": "There are no plans to release a security update for MC Works64. Please refer to the Mitsubishi Electric security advisory and take the actions mentioned there.",
"product_ids": [
"CSAFPID-0003"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends locating control system networks and devices behind firewalls and isolate them from untrusted networks and hosts, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
},
{
"category": "mitigation",
"details": "For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends avoiding clicking on web links in e-mails from unreliable sources. Also, do not open attachments to untrusted emails, to minimize the risk of exploiting this vulnerability.",
"product_ids": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001",
"CSAFPID-0002",
"CSAFPID-0003",
"CSAFPID-0005",
"CSAFPID-0006"
]
}
]
}
]
}
VAR-202207-1523
Vulnerability from variot - Updated: 2023-09-10 22:31Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PKGX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-202207-1523",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "genesis64",
"scope": null,
"trust": 1.4,
"vendor": "iconics",
"version": null
},
{
"model": "genesis64",
"scope": "eq",
"trust": 1.0,
"vendor": "iconics",
"version": "10.97.1"
},
{
"model": "mc works64",
"scope": "lte",
"trust": 1.0,
"vendor": "mitsubishielectric",
"version": "10.95.210.01"
},
{
"model": "genesis64",
"scope": "eq",
"trust": 1.0,
"vendor": "iconics",
"version": "10.97"
},
{
"model": "mc works64",
"scope": null,
"trust": 0.8,
"vendor": "\u4e09\u83f1\u96fb\u6a5f",
"version": null
},
{
"model": "genesis 64",
"scope": null,
"trust": 0.8,
"vendor": "iconics",
"version": null
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:10.97.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:10.97:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.95.210.01",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33320"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Noam Moshe of Claroty Research",
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
}
],
"trust": 1.4
},
"cve": "CVE-2022-33320",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [],
"cvssV3": [
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "ZDI",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2022-33320",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.4,
"userInteraction": "REQUIRED",
"vectorString": "AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
},
{
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"author": "NVD",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"exploitabilityScore": 1.8,
"id": "CVE-2022-33320",
"impactScore": 5.9,
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"trust": 1.0,
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
{
"attackComplexity": "Low",
"attackVector": "Local",
"author": "NVD",
"availabilityImpact": "High",
"baseScore": 7.8,
"baseSeverity": "High",
"confidentialityImpact": "High",
"exploitabilityScore": null,
"id": "CVE-2022-33320",
"impactScore": null,
"integrityImpact": "High",
"privilegesRequired": "None",
"scope": "Unchanged",
"trust": 0.8,
"userInteraction": "Required",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.0"
}
],
"severity": [
{
"author": "NVD",
"id": "CVE-2022-33320",
"trust": 1.8,
"value": "HIGH"
},
{
"author": "ZDI",
"id": "CVE-2022-33320",
"trust": 1.4,
"value": "HIGH"
},
{
"author": "CNNVD",
"id": "CNNVD-202207-2068",
"trust": 0.6,
"value": "HIGH"
}
]
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes. ICONICS, Inc. of GENESIS 64 Products from multiple other vendors contain untrusted data deserialization vulnerabilities.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be in a state. This vulnerability allows remote attackers to execute arbitrary code on affected installations of ICONICS GENESIS64. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.The specific flaw exists within the parsing of PKGX files. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of the current process",
"sources": [
{
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "VULMON",
"id": "CVE-2022-33320"
}
],
"trust": 2.97
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2022-33320",
"trust": 4.7
},
{
"db": "JVN",
"id": "JVNVU96480474",
"trust": 2.5
},
{
"db": "ICS CERT",
"id": "ICSA-22-202-04",
"trust": 1.5
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544",
"trust": 0.8
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-17361",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-22-1163",
"trust": 0.7
},
{
"db": "ZDI_CAN",
"id": "ZDI-CAN-17369",
"trust": 0.7
},
{
"db": "ZDI",
"id": "ZDI-23-343",
"trust": 0.7
},
{
"db": "CS-HELP",
"id": "SB2022072542",
"trust": 0.6
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068",
"trust": 0.6
},
{
"db": "VULMON",
"id": "CVE-2022-33320",
"trust": 0.1
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "VULMON",
"id": "CVE-2022-33320"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"id": "VAR-202207-1523",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VARIoT devices database",
"id": null
}
],
"trust": 0.42615384
},
"last_update_date": "2023-09-10T22:31:28.066000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "ICONICS has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04"
},
{
"title": "ICONICS has issued an update to correct this vulnerability.",
"trust": 0.7,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
},
{
"title": "Mitsubishi Electric MC Works64 Fixes for code issue vulnerabilities",
"trust": 0.6,
"url": "http://www.cnnvd.org.cn/web/xxk/bdxqbyid.tag?id=201698"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-502",
"trust": 1.0
},
{
"problemtype": "Deserialization of untrusted data (CWE-502) [NVD evaluation ]",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "https://jvn.jp/vu/jvnvu96480474/index.html"
},
{
"trust": 2.5,
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"trust": 1.5,
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
},
{
"trust": 0.8,
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-22-202-04"
},
{
"trust": 0.8,
"url": "https://jvn.jp/vu/jvnvu96480474/"
},
{
"trust": 0.8,
"url": "https://nvd.nist.gov/vuln/detail/cve-2022-33320"
},
{
"trust": 0.6,
"url": "https://cxsecurity.com/cveshow/cve-2022-33320/"
},
{
"trust": 0.6,
"url": "https://www.cybersecurity-help.cz/vdb/sb2022072542"
},
{
"trust": 0.6,
"url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-202-04"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov"
}
],
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "VULMON",
"id": "CVE-2022-33320"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"db": "VULMON",
"id": "CVE-2022-33320"
},
{
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-23T00:00:00",
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"date": "2023-03-31T00:00:00",
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"date": "2022-07-20T00:00:00",
"db": "VULMON",
"id": "CVE-2022-33320"
},
{
"date": "2023-09-08T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"date": "2022-07-20T17:15:00",
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"date": "2022-07-20T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2022-08-23T00:00:00",
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"date": "2023-03-31T00:00:00",
"db": "ZDI",
"id": "ZDI-23-343"
},
{
"date": "2022-07-20T00:00:00",
"db": "VULMON",
"id": "CVE-2022-33320"
},
{
"date": "2023-09-08T08:28:00",
"db": "JVNDB",
"id": "JVNDB-2022-013544"
},
{
"date": "2022-07-27T18:55:00",
"db": "NVD",
"id": "CVE-2022-33320"
},
{
"date": "2022-07-28T00:00:00",
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "local",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "ICONICS GENESIS64 PKGX File Parsing Deserialization of Untrusted Data Remote Code Execution Vulnerability",
"sources": [
{
"db": "ZDI",
"id": "ZDI-22-1163"
},
{
"db": "ZDI",
"id": "ZDI-23-343"
}
],
"trust": 1.4
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "code problem",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-202207-2068"
}
],
"trust": 0.6
}
}
FKIE_CVE-2022-33320
Vulnerability from fkie_nvd - Published: 2022-07-20 17:15 - Updated: 2026-01-09 06:16
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| iconics | genesis64 | 10.97 | |
| iconics | genesis64 | 10.97.1 | |
| mitsubishielectric | mc_works64 | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:iconics:genesis64:10.97:*:*:*:*:*:*:*",
"matchCriteriaId": "44D3F652-C916-4395-BD11-AECDDF960D45",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:iconics:genesis64:10.97.1:*:*:*:*:*:*:*",
"matchCriteriaId": "6D89798E-910C-4C3F-9385-D9B7CA921091",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
},
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"matchCriteriaId": "F44C63DD-663E-4505-8586-D4BCAB01AF73",
"versionEndIncluding": "10.95.210.01",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
},
{
"lang": "es",
"value": "Una vulnerabilidad de Deserializaci\u00f3n de Datos No Confiables en ICONICS GENESIS64 versiones 10.97.1 y anteriores y Mitsubishi Electric MC Works64 versiones 4.04E (10.95.210.01) y anteriores permite a un atacante no autenticado ejecutar un c\u00f3digo malicioso arbitrario al conllevar a un usuario a cargar un archivo de configuraci\u00f3n de proyecto que incluye c\u00f3digos XML maliciosos"
}
],
"id": "CVE-2022-33320",
"lastModified": "2026-01-09T06:16:00.577",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2022-07-20T17:15:08.397",
"references": [
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
},
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
},
{
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
}
],
"sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"type": "Primary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Secondary"
}
]
}
GSD-2022-33320
Vulnerability from gsd - Updated: 2023-12-13 01:19Details
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.
Aliases
Aliases
{
"GSD": {
"alias": "CVE-2022-33320",
"description": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.",
"id": "GSD-2022-33320"
},
"gsd": {
"metadata": {
"exploitCode": "unknown",
"remediation": "unknown",
"reportConfidence": "confirmed",
"type": "vulnerability"
},
"osvSchema": {
"aliases": [
"CVE-2022-33320"
],
"details": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.",
"id": "GSD-2022-33320",
"modified": "2023-12-13T01:19:22.835366Z",
"schema_version": "1.4.0"
}
},
"namespaces": {
"cve.org": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-33320",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ICONICS GENESIS64; Mitsubishi Electric MC Works64",
"version": {
"version_data": [
{
"version_value": "ICONICS GENESIS64 versions 10.97.1 and prior"
},
{
"version_value": "Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf",
"refsource": "MISC",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
},
{
"name": "https://jvn.jp/vu/JVNVU96480474/index.html",
"refsource": "MISC",
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
}
]
}
},
"nvd.nist.gov": {
"configurations": {
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:10.97.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:iconics:genesis64:10.97:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:mitsubishielectric:mc_works64:*:*:*:*:*:*:*:*",
"cpe_name": [],
"versionEndIncluding": "10.95.210.01",
"vulnerable": true
}
],
"operator": "OR"
}
]
},
"cve": {
"CVE_data_meta": {
"ASSIGNER": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
"ID": "CVE-2022-33320"
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "en",
"value": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://jvn.jp/vu/JVNVU96480474/index.html",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
},
{
"name": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf",
"refsource": "MISC",
"tags": [
"Third Party Advisory"
],
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
}
]
}
},
"impact": {
"baseMetricV3": {
"cvssV3": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9
}
},
"lastModifiedDate": "2022-07-27T18:55Z",
"publishedDate": "2022-07-20T17:15Z"
}
}
}
GHSA-429H-8M2J-J6CX
Vulnerability from github – Published: 2022-07-21 00:00 – Updated: 2026-01-09 06:31
VLAI?
Details
Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.
Severity ?
7.8 (High)
{
"affected": [],
"aliases": [
"CVE-2022-33320"
],
"database_specific": {
"cwe_ids": [
"CWE-502"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-20T17:15:00Z",
"severity": "HIGH"
},
"details": "Deserialization of Untrusted Data vulnerability in ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.",
"id": "GHSA-429h-8m2j-j6cx",
"modified": "2026-01-09T06:31:05Z",
"published": "2022-07-21T00:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33320"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU96480474/index.html"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…