CVE-2024-1182 Mitsubishi Electric Iconics Digital Solutions CVE debrief

Who should care

Organizations operating industrial control systems, SCADA environments, and manufacturing facilities using Mitsubishi Electric or ICONICS HMI/SCADA products. Critical infrastructure operators in energy, water, and manufacturing sectors where GENESIS64, GENESIS32, or MC Works64 are deployed for process visualization and control. Security teams responsible for OT/ICS asset management and vulnerability remediation in environments with legacy ICONICS installations.

Technical summary

The vulnerability exists in the Pager agent component of the multi-agent notification feature, where an uncontrolled search path element allows DLL hijacking. A local attacker with low privileges can execute arbitrary code by storing a malicious DLL in a specific folder that the application searches during execution. The attack requires high complexity due to the local access requirement and specific conditions, but successful exploitation grants complete system compromise. The vulnerability affects multiple product lines across two vendor entities: Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric. Products including ICONICS Suite, GENESIS64, GENESIS32, Hyper Historian, AnalytiX, MobileHMI, BizViz, IoTWorX, and MC Works64 are impacted, with versions at or below 10.97.3 affected for most products and GENESIS32 at or below 9.7. MC Works64 is affected in all versions with no planned security update.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade affected products to version 10.98 or later if Pager agent functionality is not required; download fixed versions from the Mitsubishi Electric Iconics Digital Solutions resource center
• If Pager agent is required, avoid custom installation of the multi-agent notification feature on GENESIS64, ICONICS Suite, and Hyper Historian version 10.97.3 and later, as this feature is no longer included in default
• For GENESIS32 and MC Works64, do not install the multi-agent notification feature as no security updates are planned for these products
• Implement network segmentation by placing control system networks and devices behind firewalls, isolating them from untrusted networks and hosts
• Restrict physical access to systems running affected products and limit network access to authorized personnel only
• Educate users to avoid clicking web links or opening attachments from untrusted email sources
• For MC Works64 specifically, review security settings to ensure at least one of four conditions is not met: Active Directory usage, automatic login enabled, IcoAnyGlass IIS application pool running under AD Domain
• Monitor for unauthorized DLL files in application directories and implement application whitelisting where feasible

Evidence notes

The vulnerability description and affected products are derived from CISA CSAF advisory ICSA-24-184-03, which has been updated five times since initial publication. The SSVCv2 score of E:N/A:N/T:T indicates no evidence of active exploitation, no automatable attack surface, and total technical impact. The affected feature is no longer part of default installations in version 10.97.3 and later for GENESIS64, ICONICS Suite, and Hyper Historian.

Official resources