← Back to home
ICSA-26-097-01  ·  Published 2026-04-07  ·  View on CISA ICS-CERT ↗

Mitsubishi Electric GENESIS64 and ICONICS Suite products

CVSS 8.8 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system.

CVEs (2)

Remediations

  • Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
  • Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
  • Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
  • Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
  • There are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.
  • For customer of GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".
  • For customer of GENESIS that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3".
  • For customer of MC Works 64, Mitsubishi Electric recommends performing the following step (1) and (2). (1)In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf".
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using Windows authentication instead of SQL authentication for the SQL server authentication method, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend configuring the PCs with the affected product installed so that only an administrator can log in, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend using the PCs with the affected product installed in the LAN and blocking remote login from untrusted networks and hosts, and from non-administrator users, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and to the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend preventing the user from clicking on web links in emails from untrusted sources, or from opening attachments in untrusted emails, to minimize the risk of exploiting this vulnerability.
  • Mitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
  • Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
  • Mitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".
  • Mitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".
  • For customer of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following steps (1) and (2). (1) Change the permissions of HHSplitter.exe so that only trusted administrators can execute it. (2) Delete HHSplitter.exe from the system if it is unnecessary.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend blocking unauthorized access by using a firewall, virtual private network (VPN), etc. and allowing remote login only to administrator when internet access is required, and from non-administrator users, to minimize the risk of exploiting this vulnerability.
  • For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend restricting physical access to the PC with the affected product installed and the network to which the PC is connected, to minimize the risk of exploiting this vulnerability.

Affected Vendors

Mitsubishi Electric Mitsubishi Electric Iconics Digital Solutions

Affected Products (13)

Mitsubishi Electric · GENESIS64 <=10.97.3
Mitsubishi Electric · ICONICS Suite <=10.97.3
Mitsubishi Electric · MobileHMI <=10.97.3
Mitsubishi Electric · Hyper Historian <=10.97.3
Mitsubishi Electric · AnalytiX <=10.97.3
Mitsubishi Electric · MC Works 64 vers:all/*
Mitsubishi Electric · GENESIS <=11.02
Mitsubishi Electric Iconics Digital Solutions · GENESIS64 <=10.97.3
Mitsubishi Electric Iconics Digital Solutions · ICONICS Suite <=10.97.3
Mitsubishi Electric Iconics Digital Solutions · MobileHMI <=10.97.3
Mitsubishi Electric Iconics Digital Solutions · Hyper Historian <=10.97.3
Mitsubishi Electric Iconics Digital Solutions · AnalytiX <=10.97.3
Mitsubishi Electric Iconics Digital Solutions · GENESIS <=11.02

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more