EUVD-2025-209294
GHSA-p3rg-2cj3-m987
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials stored in plaintext within the local SQLite file by exploiting this vulnerability, when the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
Analysis
Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.
Technical Context
This vulnerability stems from CWE-312 (Cleartext Storage of Sensitive Information) in Mitsubishi Electric's industrial automation HMI/SCADA platforms. The affected products (GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64) implement an optional local caching feature using SQLite databases to store operational data. When configured to authenticate with backend SQL Server databases using SQL authentication (as opposed to Windows authentication), these systems persist SQL Server credentials in plaintext within the local SQLite database files. The CVSS:4.0 vector (AV:L/AC:L/PR:L) indicates local access with low privileges is required for exploitation, but the subsequent compromise score (SC:H/SI:H/SA:H) reflects that successful credential extraction enables cascading attacks against the SQL Server infrastructure, potentially affecting industrial control system databases containing process data, alarms, and historian information critical to operational technology environments.
Affected Products
Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, and Mitsubishi Electric MC Works64 all versions. The vulnerability also affects corresponding products under the Mitsubishi Electric Iconics Digital Solutions branding with identical version ranges. Complete CPE identifiers include cpe:2.3:a:mitsubishi_electric_corporation:genesis64 through cpe:2.3:a:mitsubishi_electric_iconics_digital_solutions:analytix. Vendor security advisory available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf with additional coordination through CISA ICS advisory ICSA-26-097-01.
Remediation
Mitsubishi Electric has released security advisory 2025-023 detailing remediation guidance available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf, though specific patched version numbers are not confirmed from available data sources at time of analysis. Organizations should immediately consult the vendor advisory for update instructions and apply vendor-released patches when available. As interim mitigation where immediate patching is not feasible, disable local SQLite caching feature if not operationally required, or switch from SQL authentication to Windows Integrated Authentication for SQL Server connections to eliminate plaintext credential storage. Implement strict access controls on systems running affected software to minimize local access by untrusted users, apply principle of least privilege for operator accounts, and monitor SQLite database file access for unauthorized reads. Review SQL Server authentication logs for unexpected connection attempts that may indicate credential compromise. CISA advisory ICSA-26-097-01 at https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01 provides additional sector-specific guidance for critical infrastructure operators.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today