Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
AnalysisAI
Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.
Technical ContextAI
This vulnerability stems from CWE-312 (Cleartext Storage of Sensitive Information) in Mitsubishi Electric's industrial automation HMI/SCADA platforms. The affected products (GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64) implement an optional local caching feature using SQLite databases to store operational data. When configured to authenticate with backend SQL Server databases using SQL authentication (as opposed to Windows authentication), these systems persist SQL Server credentials in plaintext within the local SQLite database files. The CVSS:4.0 vector (AV:L/AC:L/PR:L) indicates local access with low privileges is required for exploitation, but the subsequent compromise score (SC:H/SI:H/SA:H) reflects that successful credential extraction enables cascading attacks against the SQL Server infrastructure, potentially affecting industrial control system databases containing process data, alarms, and historian information critical to operational technology environments.
RemediationAI
Mitsubishi Electric has released security advisory 2025-023 detailing remediation guidance available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf, though specific patched version numbers are not confirmed from available data sources at time of analysis. Organizations should immediately consult the vendor advisory for update instructions and apply vendor-released patches when available. As interim mitigation where immediate patching is not feasible, disable local SQLite caching feature if not operationally required, or switch from SQL authentication to Windows Integrated Authentication for SQL Server connections to eliminate plaintext credential storage. Implement strict access controls on systems running affected software to minimize local access by untrusted users, apply principle of least privilege for operator accounts, and monitor SQLite database file access for unauthorized reads. Review SQL Server authentication logs for unexpected connection attempts that may indicate credential compromise. CISA advisory ICSA-26-097-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 provides additional sector-specific guidance for critical infrastructure operators.
SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Ele
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi E
A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-
A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow
Out-of-bounds Read vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely
Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric
Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute
Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute ar
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi E
Same weakness CWE-312 – Cleartext Storage of Sensitive Information
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209294
GHSA-p3rg-2cj3-m987