PatchSiren cyber security CVE debrief
CVE-2024-8299 Mitsubishi Electric CVE debrief
A malicious code execution vulnerability exists in the Phone agent component of the multi-agent notification feature across multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products. The vulnerability stems from an uncontrolled search path element (CWE-427) that allows local attackers to execute arbitrary code. The issue affects GENESIS64, ICONICS Suite, MC Works64, and GENESIS32 under specific telephony board configurations. Customers using Dialogic telephony boards without the proper driver installed, or non-Dialogic telephony boards, face unconditional exposure. The vulnerability was initially published on December 3, 2024, and has undergone three subsequent updates through April 7, 2026, expanding affected product scope and adding fixed version information. CISA has not added this vulnerability to the Known Exploited Vulnerabilities catalog.
- Vendor
- Mitsubishi Electric
- Product
- GENESIS64
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-03
- Original CVE updated
- 2026-04-07
- Advisory published
- 2024-12-03
- Advisory updated
- 2026-04-07
Who should care
Organizations operating industrial control systems and SCADA environments using Mitsubishi Electric GENESIS64, ICONICS Suite, MC Works64, or GENESIS32 with multi-agent notification features enabled. Critical infrastructure operators in manufacturing, energy, and building automation sectors where these HMI/SCADA platforms are deployed. Security teams responsible for OT/ICS asset management and patch coordination. Organizations with telephony-integrated alarm notification systems should prioritize assessment.
Technical summary
The vulnerability exists in the Phone agent of the multi-agent notification feature. An uncontrolled search path element allows a locally authenticated attacker with low privileges to execute malicious code without user interaction. The attack results in complete confidentiality, integrity, and availability compromise of the affected system. Attack complexity is low, and no special conditions beyond local access are required. The vulnerability is particularly relevant in environments where telephony integration is configured without proper driver installation or with non-Dialogic hardware.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade GENESIS64, ICONICS Suite, and Hyper Historian to version 10.98 or later if Phone agent is not required
- Install Dialogic driver if using Dialogic telephony board with Phone agent functionality
- Uninstall multi-agent notification feature if not needed
- Perform custom installation of multi-agent notification feature excluding Phone agent if notification feature is required but Phone agent is not
- Restrict network access to affected systems using firewalls or VPNs
- Limit physical access to systems running affected products
- Block remote login from untrusted networks, hosts, and users
- Educate users against clicking web links or opening attachments from untrusted email sources
Evidence notes
Vulnerability disclosed via CISA ICS Advisory ICSA-24-338-04 on December 3, 2024. Advisory updated three times: Update A (January 8, 2026) added GENESIS32; Update B (March 10, 2026) added ICONICS Suite; Update C (April 7, 2026) added fixed versions. CVSS 3.1 vector confirms local attack vector with low attack complexity. SSVCv2 scoring indicates no evidence of exploitation, no active exploitation observed, and total technical impact.
Official resources
-
CVE-2024-8299 CVE record
CVE.org
-
CVE-2024-8299 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-03