PatchSiren cyber security CVE debrief
CVE-2024-1574 Mitsubishi Electric Iconics Digital Solutions CVE debrief
A local arbitrary code execution vulnerability exists in the licensing feature of multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products. The vulnerability stems from unsafe reflection (CWE-470), where externally-controlled input can be used to select classes or code. A local attacker with low privileges can execute arbitrary code with administrative privileges by tampering with a specific unprotected file. The vulnerability was initially published on July 2, 2024, and has been updated multiple times through April 7, 2026 (Update D), which added Hyper Historian, AnalytiX, and MobileHMI to the affected products list. The CVSS 3.1 score is 6.7 (Medium), with a vector of AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H, indicating local attack vector, high attack complexity, low privileges required, user interaction required, but high impact on confidentiality, integrity, and availability.
- Vendor
- Mitsubishi Electric Iconics Digital Solutions
- Product
- ICONICS Suite
- CVSS
- MEDIUM 6.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-02
- Original CVE updated
- 2026-04-07
- Advisory published
- 2024-07-02
- Advisory updated
- 2026-04-07
Who should care
Organizations running Mitsubishi Electric or Mitsubishi Electric Iconics Digital Solutions HMI/SCADA products in industrial control environments, particularly those with ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, MobileHMI, GENESIS32, BizViz, or MC Works64 deployments. Critical infrastructure operators and manufacturing facilities using these products for process visualization and control should prioritize assessment and remediation.
Technical summary
The vulnerability exists in the licensing feature of affected products due to unsafe reflection (CWE-470), where externally-controlled input can select classes or code. A local attacker with low privileges can tamper with a specific unprotected file to execute arbitrary code with administrative privileges. The attack requires high complexity and user interaction but results in complete system compromise (high confidentiality, integrity, and availability impact).
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor fix version 10.97.3 or later for ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, and MobileHMI products where available
- For GENESIS32, BizViz, and MC Works64 products with no planned fix, implement network segmentation by placing control system networks and devices behind firewalls
- Restrict physical access to systems running affected products to prevent unauthorized local access
- Implement user awareness training to prevent clicking web links or opening attachments from untrusted sources
- Monitor for unauthorized file modifications in licensing-related directories
- Review and apply ICS-CERT recommended practices for defense in depth strategies
Evidence notes
The vulnerability affects 15 product variants across two vendor lines: Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric. Affected products include ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, MobileHMI (all <=10.97.2), GENESIS32 and BizViz (<=9.7), and MC Works64 (all versions). Fixed versions (10.97.3 or later) are available for ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, and MobileHMI. No fix is planned for GENESIS32, BizViz, or MC Works64; these require network segmentation and physical access controls.
Official resources
-
CVE-2024-1574 CVE record
CVE.org
-
CVE-2024-1574 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-02