PatchSiren cyber security CVE debrief
CVE-2023-2650 OpenSSL CVE debrief
A low-severity denial-of-service vulnerability exists in Mitsubishi Electric ICONICS Suite and related products when the BACnet Secure Connect feature is enabled. The vulnerability stems from an integrated OpenSSL library that fails to limit resource allocation during certificate validation. A remote attacker can trigger temporary denial-of-service by sending a certificate containing a specially crafted ASN.1 OBJECT IDENTIFIER. The issue was initially published on July 2, 2024, with the most recent advisory update (Update D) released on April 7, 2026, adding Hyper Historian, AnalytiX, and MobileHMI to the affected products list. The vulnerability requires network access and high attack complexity, with no privileges or user interaction needed. Affected versions are 10.97.2 across all listed product families.
- Vendor
- OpenSSL
- Product
- SINEC NMS
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-02-13
- Original CVE updated
- 2024-03-12
- Advisory published
- 2024-02-13
- Advisory updated
- 2024-03-12
Who should care
Organizations running Mitsubishi Electric ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, MobileHMI, GENESIS32, BizViz, IoTWorX, or MC Works64 version 10.97.2 with BACnet Secure Connect enabled. Industrial control system operators in critical infrastructure sectors using these HMI/SCADA products should prioritize assessment, particularly if external network connectivity or certificate-based authentication is in use.
Technical summary
The vulnerability exists in the OpenSSL library integrated into affected Mitsubishi Electric products when BACnet Secure Connect is enabled. During certificate validation, a specially crafted ASN.1 OBJECT IDENTIFIER can cause excessive resource allocation without proper throttling, resulting in temporary denial-of-service. The attack requires network connectivity and is considered to have high complexity. The vulnerability does not affect confidentiality or integrity, only availability, and the impact is rated as low. The BACnet Secure Connect feature is installed as a beta version in GENESIS64 and ICONICS Suite and is disabled by default, reducing exposure for default configurations.
Defensive priority
LOW
Recommended defensive actions
- Upgrade affected products to version 10.97.3 or later. For ICONICS Suite, GENESIS64, Hyper Historian, AnalytiX, and MobileHMI, obtain fixes from the ICONICS security portal. For Mitsubishi Electric branded versions, use
- If immediate patching is not possible, disable the BACnet Secure Connect feature, which is installed as a beta component and disabled by default in GENESIS64 and ICONICS Suite.
- Implement network segmentation by placing control system networks and devices behind firewalls, isolated from untrusted networks and hosts.
- Restrict physical access to systems running affected products and prevent unauthorized network contact.
- Block import of certificates from untrusted sources and educate users against clicking web links or opening attachments from untrusted emails.
Evidence notes
The vulnerability description and affected products are drawn from CISA CSAF advisory ICSA-24-184-03, which has undergone five revision cycles. The SSVC vector indicates exploitation is expected (E:N), automatable (A:Y), and technical impact is partial (T:P). The CVSS 3.1 score of 3.7 reflects network attack vector, high complexity, and low availability impact. The underlying issue is categorized as CWE-770 (Allocation of Resources Without Limits or Throttling).
Official resources
-
CVE-2023-2650 CVE record
CVE.org
-
CVE-2023-2650 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-02