Skip to main content

Mobilehmi

7 CVEs product

Monthly

CVE-2025-14816 CRITICAL CISA Emergency

SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.

Information Disclosure Genesis64 Iconics Suite Mobilehmi Hyper Historian +3
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2025-14815 CRITICAL CISA Emergency

Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.

Information Disclosure Genesis64 Iconics Suite Mobilehmi Hyper Historian +3
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2020-12015 HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
2.0%
CVE-2020-12013 CRITICAL Act Now

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mc Works32 Mc Works64 Energy Analytix +8
NVD
CVSS 3.1
9.1
EPSS
3.0%
CVE-2020-12007 CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works Mc Works32 Energy Analytix +8
NVD
CVSS 3.1
9.8
EPSS
3.9%
CVE-2020-12009 HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 Energy Analytix Facility Analytix +7
NVD
CVSS 3.1
7.5
EPSS
3.6%
CVE-2020-12011 CRITICAL Act Now

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption Mc Works Mc Works32 +9
NVD
CVSS 3.1
9.8
EPSS
29.2%
EPSS 0% CVSS 9.3
CRITICAL Emergency

SQL Server credentials are displayed in cleartext within the Hyper Historian Splitter GUI across multiple Mitsubishi Electric SCADA/HMI platforms (GENESIS64, ICONICS Suite, MC Works64, and related products), allowing local authenticated attackers with low privileges to capture database credentials and subsequently gain unauthorized access to backend SQL Servers. This affects versions 10.97.3 and prior for most products and all versions of MC Works64. No active exploitation confirmed (not in CISA KEV), though CISA has issued ICS advisory ICSA-26-097-01. With a CVSS 9.3 (Critical) score reflecting high confidentiality, integrity, and availability impact on both vulnerable and subsequent systems, the risk centers on credential theft enabling downstream SQL Server compromise.

Information Disclosure Genesis64 Iconics Suite +5
NVD
EPSS 0% CVSS 9.3
CRITICAL Emergency

Plaintext SQL Server credential storage in Mitsubishi Electric SCADA/HMI products allows local authenticated attackers with low-complexity exploitation to extract database credentials from SQLite cache files, enabling subsequent unauthorized SQL Server access for data manipulation and denial-of-service attacks. Affects multiple product lines including GENESIS64 ≤10.97.3, ICONICS Suite ≤10.97.3, and all MC Works64 versions when local SQLite caching is enabled with SQL authentication. CVSS 9.3 severity reflects extensive downstream impact potential (confidentiality, integrity, availability across both vulnerable system and connected SQL Server). No evidence of active exploitation (not in CISA KEV), but EPSS data unavailable and attack complexity rated low with only local authenticated access required.

Information Disclosure Genesis64 Iconics Suite +5
NVD
EPSS 2% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition due to improper deserialization. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 3% CVSS 9.1
CRITICAL Act Now

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Code Injection Mc Works32 +10
NVD
EPSS 4% CVSS 9.8
CRITICAL Act Now

A specially crafted communication packet sent to the affected devices could allow remote code execution and a denial-of-service condition due to a deserialization vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Deserialization Mc Works +10
NVD
EPSS 4% CVSS 7.5
HIGH This Week

A specially crafted communication packet sent to the affected device could cause a denial-of-service condition due to a deserialization vulnerability. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Deserialization Mc Works Mc Works32 +9
NVD
EPSS 29% CVSS 9.8
CRITICAL Act Now

A specially crafted communication packet sent to the affected systems could cause a denial-of-service condition or allow remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Buffer Overflow RCE Memory Corruption +11
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy