PatchSiren cyber security CVE debrief
CVE-2025-0921 Mitsubishi Electric CVE debrief
CVE-2025-0921 is a medium-severity information tampering issue in multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products. CISA and the vendor describe a local attack path where a user creates a symbolic link from a file a service writes to, redirecting the write to an arbitrary target file. If the target is important to system operation, the overwrite can destroy it and trigger a denial-of-service condition. The advisory was first published on 2025-05-20 and later updated through 2026-04-07 to expand affected products and remediation details.
- Vendor
- Mitsubishi Electric
- Product
- GENESIS64
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-05-20
- Original CVE updated
- 2026-04-07
- Advisory published
- 2025-05-20
- Advisory updated
- 2026-04-07
Who should care
OT and industrial control system operators, Windows administrators, and asset owners running any affected Mitsubishi Electric or ICONICS-family product should review this immediately, especially on PCs where local logon is possible or where a file overwrite could disrupt operations.
Technical summary
The vulnerability is described as execution with unnecessary privileges in multiple services across GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, IoTWorX, MC Works64, GENESIS, GENESIS32, and BizViz. A local attacker can create a symbolic link from a file used as a write destination by the service to a target file, causing an unauthorized write to that target. The resulting tampering can destroy the target file and may lead to denial of service if the file is necessary for system operation. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N.
Defensive priority
Medium, with higher operational priority on systems where local access is possible or where overwritten files would affect production availability.
Recommended defensive actions
- Apply vendor fixes where available: GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX should be updated to 10.98 or later; IoTWorX should be updated to 10.96 or later; GENESIS should be updated to 11.01或
- For MC Works64, GENESIS32, and BizViz, follow the vendor advisory because no fixed version is planned in the supplied corpus.
- Restrict affected PCs so that only administrators can log in.
- Keep affected PCs in a LAN and block remote login from untrusted networks, hosts, and non-administrator users.
- Use firewall and VPN controls to block unauthorized access, and allow remote login only to administrators when internet access is required.
- Restrict physical access to the PC and the connected network.
- Review exposure of any service account or workflow that can write to files in locations an attacker could replace with a symbolic link.
Evidence notes
This debrief is based on the CISA CSAF advisory ICSA-25-140-04 and the Mitsubishi Electric security advisory 2025-002. The source corpus states the issue is a local symbolic-link-based file overwrite affecting multiple services and identifies fixed versions for some products plus mitigations for unfixed products. Timing context follows the supplied CVE published date of 2025-05-20 and modified date of 2026-04-07; the later date reflects advisory updates, not the original issue date. The supplied enrichment does not list KEV inclusion or ransomware campaign use.
Official resources
-
CVE-2025-0921 CVE record
CVE.org
-
CVE-2025-0921 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA and the vendor on 2025-05-20, with follow-on advisory updates through 2026-04-07. This debrief reflects the advisory timeline supplied in the source corpus and does not use generation time as the issue date.