Skip to main content

Genesis64

27 CVEs product

Monthly

CVE-2025-14816 CRITICAL CISA Emergency

SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.

Information Disclosure Genesis64 Iconics Suite Mobilehmi Hyper Historian +3
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-14815 CRITICAL CISA Emergency

Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.

Information Disclosure Genesis64 Iconics Suite Mobilehmi Hyper Historian +3
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2024-7587 HIGH This Week

Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Denial Of Service Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-26314 HIGH This Week

Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-25088 HIGH This Week

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-25087 MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.7.0 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-25086 HIGH This Week

Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2024-22106 HIGH This Week

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute arbitrary code, or cause a Denial of Service (DoS). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Denial Of Service Windriver Cpu Module Logging Configuration Tool +33
NVD
CVSS 3.1
7.8
EPSS
0.2%
CVE-2024-22105 MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-22104 MEDIUM This Month

Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Denial Of Service Memory Corruption Windriver +34
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-22103 MEDIUM This Month

Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Denial Of Service Memory Corruption Windriver +34
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2024-22102 MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver Cpu Module Logging Configuration Tool Cw Configurator +32
NVD
CVSS 3.1
5.5
EPSS
0.2%
CVE-2022-40264 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal Genesis64
NVD
CVSS 3.1
7.1
EPSS
0.3%
CVE-2022-33320 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.4%
CVE-2022-33319 CRITICAL Act Now

Out-of-bounds Read vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow Genesis64 Mc Works64
NVD
CVSS 3.1
9.1
EPSS
1.3%
CVE-2022-33318 CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
9.8
EPSS
45.5%
CVE-2022-33317 HIGH This Week

Inclusion of Functionality from Untrusted Control Sphere vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-33316 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-33315 HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
CVSS 3.1
7.8
EPSS
0.3%
CVE-2022-29834 HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Genesis64
NVD
CVSS 3.1
7.5
EPSS
1.3%
CVE-2021-27041 HIGH This Week

A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Advance Steel Autocad +11
NVD
CVSS 3.1
7.8
EPSS
1.7%
CVE-2021-27040 LOW Monitor

A maliciously crafted DWG file can be forced to read beyond allocated boundaries when parsing the DWG file. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure Advance Steel Autocad +11
NVD
CVSS 3.1
3.3
EPSS
2.7%
CVE-2020-12015 HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-12013 CRITICAL Act Now

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mc Works32 Mc Works64 Energy Analytix +8
NVD
CVSS 3.1
9.1
EPSS
3.0%
CVE-2020-12007 CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works Mc Works32 Energy Analytix +8
NVD
CVSS 3.1
9.8
EPSS
3.9%
CVE-2020-12009 HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-12011 CRITICAL Act Now

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mc Works Mc Works32 +9
NVD
CVSS 3.1
9.8
EPSS
29.2%
EPSS 0% CVSS 9.3
CRITICAL Emergency

SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.

Information Disclosure Genesis64 Iconics Suite +5
NVD
EPSS 0% CVSS 9.3
CRITICAL Emergency

Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.

Information Disclosure Genesis64 Iconics Suite +5
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Denial Of Service Genesis64 +1
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege management in Jungo WinDriver 6.0.0 through 16.1.0 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Windriver +34
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Windriver +34
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.7.0 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver +34
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Code Injection RCE Windriver +34
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges, execute arbitrary code, or cause a Denial of Service (DoS). Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation RCE Denial Of Service +35
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver +34
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Denial Of Service +36
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Out-of-Bounds Write vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error and Denial of Service (DoS). Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Buffer Overflow Microsoft Denial Of Service +36
NVD
EPSS 0% CVSS 5.5
MEDIUM This Month

Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.6.0 allows local attackers to cause a Windows blue screen error. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. No vendor patch available.

Denial Of Service Microsoft Windriver +34
NVD
EPSS 0% CVSS 7.1
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ICONICS/Mitsubishi Electric GENESIS64 versions 10.96 to 10.97.2 allows an unauthenticated attacker to. Rated high severity (CVSS 7.1), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Path Traversal Genesis64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 1% CVSS 9.1
CRITICAL Act Now

Out-of-bounds Read vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Denial Of Service Buffer Overflow +2
NVD
EPSS 45% CVSS 9.8
CRITICAL Act Now

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Inclusion of Functionality from Untrusted Control Sphere vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

RCE Genesis64 Mc Works64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 0% CVSS 7.8
HIGH This Week

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1,. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Deserialization Genesis64 Mc Works64
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Genesis64
NVD
EPSS 2% CVSS 7.8
HIGH This Week

A maliciously crafted DWG file can be used to write beyond the allocated buffer while parsing DWG files. Rated high severity (CVSS 7.8), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +13
NVD
EPSS 3% CVSS 3.3
LOW Monitor

A maliciously crafted DWG file can be forced to read beyond allocated boundaries when parsing the DWG file. Rated low severity (CVSS 3.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Information Disclosure +13
NVD
EPSS 2% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 3% CVSS 9.1
CRITICAL Act Now

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mc Works32 +10
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works +10
NVD
EPSS 4% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 29% CVSS 9.8
CRITICAL Act Now

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +11
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy