PatchSiren cyber security CVE debrief
CVE-2024-8300 Mitsubishi Electric Iconics Digital Solutions CVE debrief
A malicious code execution vulnerability exists in the FA device communication driver of GENESIS64 and ICONICS Suite due to dead code (CWE-561). The vulnerability affects users who install affected products in an unprotected folder other than the default installation folder. The CVSS 3.1 vector indicates local attack vector with high attack complexity, low privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The advisory was initially published on 2024-12-03 and has undergone three updates: Update A (2026-01-08) added GENESIS32, Update B (2026-03-10) added ICONICS Suite, and Update C (2026-04-07) added fixed versions. Affected versions include GENESIS64 and ICONICS Suite 10.97.2 series (10.97.2, 10.97.2 CFR1, 10.97.2 CFR2) and 10.97.3 series. Vendor fixes are available through critical fixes rollups.
- Vendor
- Mitsubishi Electric Iconics Digital Solutions
- Product
- GENESIS64
- CVSS
- HIGH 7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-03
- Original CVE updated
- 2026-04-07
- Advisory published
- 2024-12-03
- Advisory updated
- 2026-04-07
Who should care
Organizations operating industrial control systems and SCADA/HMI environments using GENESIS64 or ICONICS Suite for process visualization and control, particularly those in manufacturing, energy, water/wastewater, and critical infrastructure sectors. System administrators responsible for deployment configurations and security teams managing OT/ICS security postures should prioritize assessment and remediation.
Technical summary
The vulnerability stems from dead code present in the FA device communication driver. When affected products are installed in non-default, unprotected folders rather than the default installation directory, this dead code can be leveraged for malicious code execution. The attack requires local access with low privileges but no user interaction, potentially resulting in complete compromise of confidentiality, integrity, and availability. The high attack complexity (AC:H) provides some mitigation against exploitation. The vulnerability affects both Mitsubishi Electric-branded and Mitsubishi Electric Iconics Digital Solutions-branded versions of GENESIS64 and ICONICS Suite.
Defensive priority
HIGH
Recommended defensive actions
- Apply vendor fixes: For GENESIS64 and ICONICS Suite Version 10.97.2 series, install '10.97.2 Critical Fixes Rollup 3'. For Version 10.97.3 series, install '10.97.3 Critical Fixes Rollup 2'.
- If immediate patching is not possible, install affected products only in the default protected installation folder, not in unprotected non-default locations.
- Restrict network access by blocking remote login from untrusted networks, hosts, and users for systems running affected products.
- Implement firewall or VPN controls to prevent unauthorized access when connecting affected systems to the Internet, allowing remote access only to trusted users.
- Restrict physical access to systems running affected products and their connected networks.
- Train users to avoid clicking web links or opening attachments from untrusted email sources.
- Monitor Mitsubishi Electric security advisory and ICONICS GENESIS64 security updates page for additional guidance.
Evidence notes
Source: CISA ICS Advisory ICSA-24-338-04 (Update C). CVSS 3.1 vector: AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-561 (Dead Code). Affected products confirmed through CSAFPID-0002, CSAFPID-0004, CSAFPID-0009, CSAFPID-0011.
Official resources
-
CVE-2024-8300 CVE record
CVE.org
-
CVE-2024-8300 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-03