Skip to main content

Genesis64 CVE-2025-14816

| EUVDEUVD-2025-209296 CRITICAL
Cleartext Storage of Sensitive Information in GUI (CWE-317)
2026-04-08 Mitsubishi
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Apr 08, 2026 - 14:16 euvd
EUVD-2025-209296
Analysis Generated
Apr 08, 2026 - 14:16 vuln.today
CVE Published
Apr 08, 2026 - 13:23 nvd
CRITICAL 9.3

DescriptionCVE.org

Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.

AnalysisAI

SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.

Technical ContextAI

This vulnerability (CWE-317: Cleartext Storage of Sensitive Information in the GUI) affects Mitsubishi Electric's industrial automation and SCADA product family, specifically the Hyper Historian Splitter feature when configured to use SQL Server authentication mode. The affected products-GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64-are human-machine interface (HMI) and supervisory control platforms widely deployed in industrial control systems (ICS) environments. The vulnerability exposes SQL authentication credentials directly in the graphical user interface without encryption or masking. This is distinct from CWE-256 (plaintext password storage in files) as the exposure occurs in the runtime GUI itself, making credentials visible to any user with local access to the application interface. The CPE strings identify both Mitsubishi Electric Corporation and Mitsubishi Electric Iconics Digital Solutions branded versions, indicating this is a shared codebase issue across product rebranding. The CVSS 4.0 vector (AV:L/AC:L/PR:L) confirms this requires local system access with low-privilege authenticated access but minimal attack complexity.

RemediationAI

Apply security updates according to Mitsubishi Electric PSIRT advisory 2025-023 available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf. Specific patched versions are not enumerated in the provided intelligence data; consult the vendor advisory directly for update instructions and fixed release versions. Until patches can be deployed, implement compensating controls including restricting local access to HMI workstations running affected software to only authorized personnel, enforcing Windows authentication for SQL Server connections instead of SQL authentication mode where architecturally feasible, implementing database activity monitoring to detect unauthorized credential usage, applying principle of least privilege to SQL Server accounts used by Hyper Historian, and deploying endpoint monitoring to detect credential harvesting attempts. For MC Works64 where all versions are affected, prioritize migration planning if the vendor indicates end-of-support status. Follow guidance in CISA advisory ICSA-26-097-01 for additional ICS-specific hardening measures.

CVE-2025-14815 CRITICAL
9.3 Apr 08

Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers w

CVE-2022-33318 CRITICAL
9.8 Jul 20

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi E

CVE-2020-12007 CRITICAL
9.8 Jul 16

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-

CVE-2020-12011 CRITICAL
9.8 Jul 16

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow

CVE-2022-33319 CRITICAL
9.1 Jul 20

Out-of-bounds Read vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics

CVE-2020-12013 CRITICAL
9.1 Jul 16

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely

CVE-2024-7587 HIGH
7.8 Oct 22

Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric

CVE-2024-26314 HIGH
7.8 Jul 02

Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and

CVE-2024-25088 HIGH
7.8 Jul 02

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute

CVE-2024-25086 HIGH
7.8 Jul 02

Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute

CVE-2024-22106 HIGH
7.8 Jul 02

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute ar

CVE-2022-33320 HIGH
7.8 Jul 20

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi E

Share

CVE-2025-14816 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy