EUVD-2025-209296
CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3Description
Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
Analysis
SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.
Technical Context
This vulnerability (CWE-317: Cleartext Storage of Sensitive Information in the GUI) affects Mitsubishi Electric's industrial automation and SCADA product family, specifically the Hyper Historian Splitter feature when configured to use SQL Server authentication mode. The affected products-GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64-are human-machine interface (HMI) and supervisory control platforms widely deployed in industrial control systems (ICS) environments. The vulnerability exposes SQL authentication credentials directly in the graphical user interface without encryption or masking. This is distinct from CWE-256 (plaintext password storage in files) as the exposure occurs in the runtime GUI itself, making credentials visible to any user with local access to the application interface. The CPE strings identify both Mitsubishi Electric Corporation and Mitsubishi Electric Iconics Digital Solutions branded versions, indicating this is a shared codebase issue across product rebranding. The CVSS 4.0 vector (AV:L/AC:L/PR:L) confirms this requires local system access with low-privilege authenticated access but minimal attack complexity.
Affected Products
Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, ICONICS Suite versions 10.97.3 and prior, MobileHMI versions 10.97.3 and prior, Hyper Historian versions 10.97.3 and prior, AnalytiX versions 10.97.3 and prior, GENESIS versions 11.02 and prior, and MC Works64 all versions are affected. The vulnerability also impacts equivalent products under Mitsubishi Electric Iconics Digital Solutions branding with identical version ranges. Complete CPE identifiers are available for cpe:2.3:a:mitsubishi_electric_corporation:genesis64, iconics_suite, mobilehmi, hyper_historian, analytix, and their Digital Solutions counterparts. Official vendor security advisory is available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf with coordination notices from CISA (https://www.cisa.gov/news-events/ics-advisories/icsa-26-097-01) and JPCERT (https://jvn.jp/vu/JVNVU90646130/).
Remediation
Apply security updates according to Mitsubishi Electric PSIRT advisory 2025-023 available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-023_en.pdf. Specific patched versions are not enumerated in the provided intelligence data; consult the vendor advisory directly for update instructions and fixed release versions. Until patches can be deployed, implement compensating controls including restricting local access to HMI workstations running affected software to only authorized personnel, enforcing Windows authentication for SQL Server connections instead of SQL authentication mode where architecturally feasible, implementing database activity monitoring to detect unauthorized credential usage, applying principle of least privilege to SQL Server accounts used by Hyper Historian, and deploying endpoint monitoring to detect credential harvesting attempts. For MC Works64 where all versions are affected, prioritize migration planning if the vendor indicates end-of-support status. Follow guidance in CISA advisory ICSA-26-097-01 for additional ICS-specific hardening measures.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today