ICSA-23-229-01 · Published 2023-08-17 · View on CISA ICS-CERT ↗

ICONICS and Mitsubishi Electric Products

CVSS 5.9 MEDIUM

Risk Summary

Successful exploitation of these vulnerabilities could result in information disclosure, denial-of-service, or remote code execution.

CVE-2022-3602 CVE-2022-3786 CVE-2022-4203 CVE-2022-4304 CVE-2022-4450 CVE-2023-0401

Version 10.97.2 Critical Fixes Rollup 2 and later is not vulnerable to these exploits. ICONICS recommends that users of its products take the following mitigation steps:
Ensure the 10.97.2 Critical Fixes Rollup release is applied to version 10.97.2 systems.
For systems that do not contain the patch/fix:
Do not use the BACnet/SC feature on a production system.
ICONICS and Mitsubishi Electric recommend updating the ICONICS Suite with the latest security patches as they become available. ICONICS Suite security patches may be found here (login required).
ICONICS and Mitsubishi Electric are releasing security updates as critical fixes/rollups release. For more information, refer to the ICONICS whitepaper on security vulnerabilities, the most recent version of which can be found here.
Additional information about the security updates may also be found in Mitsubishi Electric's security advisories:
Advisory 2022-014
Advisory 2023-009

ICONICS, Mitsubishi Electric

ICONICS, Mitsubishi Electric · ICONICS Suite including GENESIS64, Hyper Historian, AnalytiX, and MobileHMI 10.97.2

Critical Manufacturing

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.