CVE-2024-7587 Mitsubishi Electric Iconics Digital Solutions CVE debrief

Who should care

Organizations operating industrial control systems, SCADA environments, manufacturing facilities, building automation systems, and critical infrastructure utilizing Mitsubishi Electric or Iconics Digital Solutions HMI/SCADA software. System integrators, OT security teams, and asset owners in sectors including energy, water/wastewater, manufacturing, and smart buildings should prioritize assessment and remediation.

Technical summary

This vulnerability (CWE-276: Incorrect Default Permissions) affects multiple Mitsubishi Electric and Iconics Digital Solutions product lines used in industrial automation and SCADA environments. The root cause is insecure default filesystem permissions on the C:ProgramDataICONICS directory tree, which may grant excessive access to the 'Everyone' group. An attacker with local access and low privileges can exploit this misconfiguration to read sensitive configuration data, modify operational parameters, or disrupt service availability. The attack requires no user interaction and has low complexity. Affected products include GENESIS64 (≤10.97.3), ICONICS Suite (≤10.97.3), Hyper Historian (≤10.97.3), AnalytiX (≤10.97.3), MobileHMI (≤10.97.3), GENESIS32 (≤9.70.300.23), and all versions of MC Works64. Security updates are available for current-generation products, while GENESIS32 (retired) and MC Works64 have no planned fixes, requiring compensating controls.

Defensive priority

HIGH

Recommended defensive actions

• Verify and correct folder permissions on C:ProgramDataICONICS by removing 'Everyone' access if present, applying this change to all subdirectories
• Apply vendor security updates for GENESIS64 and ICONICS Suite products through critical fixes and rollup releases where available
• For MC Works64, which has no planned security update, implement compensating network segmentation controls
• For GENESIS32 (version 9.x), which has reached end-of-life with no patches planned, migrate to supported versions or implement strict isolation controls
• Deploy affected systems within isolated LAN segments with remote login blocked from untrusted networks, hosts, or users
• Implement firewalls, VPNs, and access controls to prevent unauthorized remote access when internet connectivity is required
• Restrict physical access to systems running affected products
• Deploy anti-virus software on affected systems as a compensating control

Evidence notes

The vulnerability stems from incorrect default permissions on the C:ProgramDataICONICS folder, which may include overly permissive access rights such as 'Everyone' permissions. This local privilege escalation vector (AV:L) allows authenticated users with low privileges to achieve high-impact outcomes including confidentiality breach, data integrity compromise, and system availability disruption. The CVSS 3.1 vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H indicates local attack vector, low attack complexity, low privileges required, no user interaction, and high impacts across confidentiality, integrity, and availability. The advisory has undergone multiple revisions: initial publication (2024-10-22), Update A noting no security update planned for MC Works64 (2025-09-09), Update B adding GENESIS32 (2026-01-08), and Update C changing mitigation descriptions and updating the product tree (2026-02-24).

Official resources