---
title: "Critical OS Command Injection Flaw in Mitsubishi Electric Iconics Products"
short_title: "Mitsubishi Electric Iconics products face critical OS command flaw"
description: "Mitsubishi Electric Iconics Suite, GENESIS64, and MC Works64 affected by CVE-2025-11774, enabling DoS, data tampering, and disclosure. Learn mitigation steps now."
author: "Vitus"
date: 2025-01-24
categories: [Cybersecurity, Vulnerabilities]
tags: [mitsubishi-electric, cve-2025-11774, os-command-injection, critical-manufacturing, ics-security]
score: 0.85
cve_ids: [CVE-2025-11774]
---
TL;DR
A high-severity OS command injection vulnerability (CVE-2025-11774) in Mitsubishi Electric Iconics products—including GENESIS64, ICONICS Suite, and MC Works64—could allow attackers to execute malicious code, leading to denial-of-service (DoS), data tampering, or information disclosure. Affected organizations are urged to apply patches or follow mitigation steps immediately to reduce risks.
---
Main Content
Introduction
Mitsubishi Electric has disclosed a critical vulnerability in its Iconics digital solutions, impacting multiple products used in critical manufacturing sectors worldwide. The flaw, tracked as CVE-2025-11774, enables OS command injection through the software’s keypad function, potentially allowing attackers to execute arbitrary code with serious consequences. This advisory details the affected systems, technical implications, and recommended actions to secure vulnerable deployments.
---
Key Points
- Vulnerability: CVE-2025-11774 (OS Command Injection) with a CVSS score of 8.2 (High).
- Affected Products: GENESIS64, ICONICS Suite, MobileHMI, and MC Works64.
- Impact: Successful exploitation could lead to DoS, information tampering, or data disclosure.
- Mitigation: Apply patches for GENESIS64 and ICONICS Suite, or upgrade to GENESIS V11. MC Works64 users should migrate to GENESIS64 v10.97.3 or later.
- Workarounds: Restrict network access, block remote logins, and enforce physical security measures.
---
Technical Details
The vulnerability resides in the keypad function of Mitsubishi Electric Iconics products. Attackers can exploit this flaw by tampering with the configuration file associated with the keypad function. When a legitimate user interacts with the keypad, the malicious code is executed, allowing attackers to:
- Disclose, tamper with, or delete sensitive information stored on the affected system.
- Trigger a denial-of-service (DoS) condition, disrupting operations.
- Execute arbitrary executable files (EXE), escalating the attack’s impact.
The vulnerability is not exploitable remotely but requires access to the local network or physical proximity to the affected system.
---
Impact Assessment
#### Affected Systems
The following Mitsubishi Electric Iconics products and versions are vulnerable:
- GENESIS64: Versions ≤10.97.2_CFR_3
- ICONICS Suite: Versions ≤10.97.2_CFR_3
- MobileHMI: Versions ≤10.97.2_CFR_3
- MC Works64: All versions (no patch planned; migration recommended)
#### Critical Infrastructure Risk
The affected products are widely deployed in critical manufacturing sectors, particularly in industrial control systems (ICS). Exploitation of this vulnerability could disrupt production lines, compromise sensitive data, or enable further attacks on connected systems.
#### Attack Vector
- Local Access Required: Attackers must have access to the local network or physical access to the system.
- Exploitation Method: Tampering with the keypad function’s configuration file to execute malicious code when a legitimate user interacts with the keypad.
---
Mitigation Steps
Mitsubishi Electric has provided the following remediation and mitigation strategies to address the vulnerability:
#### Vendor Fixes
1. GENESIS64 and ICONICS Suite:
- Upgrade to GENESIS64 v10.97.3 or later.
- Alternatively, migrate to GENESIS V11, which includes the fix.
- Download the patch from the [Community Portal](https://iconicsinc.my.site.com/community/s/software-update/a35QQ000000y2oXYAQ/10973-critical-fixes-rollup-2).
2. MC Works64:
- No patch will be released. Users are advised to upgrade to GENESIS64 v10.97.3 or later.
#### Workarounds and Best Practices
If patching is not immediately feasible, organizations should implement the following mitigation measures:
- Restrict Network Access: Use affected systems only within a local area network (LAN) and block remote logins from untrusted networks.
- Firewall and VPN: Deploy firewalls or virtual private networks (VPNs) to block unauthorized access. Ensure VPNs are updated to the latest version.
- Physical Security: Restrict physical access to systems running the affected products.
- Email Security: Avoid clicking on links or opening attachments in emails from untrusted sources.
- Antivirus Software: Install and maintain antivirus software on all affected systems.
- Security Advisories: Refer to Mitsubishi Electric’s [security advisory](https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-018_en.pdf) and the [ICONICS CERT page](https://iconics.com/About/Security/CERT) for updates.
---
Conclusion
The CVE-2025-11774 vulnerability poses a significant risk to organizations using Mitsubishi Electric Iconics products in critical manufacturing environments. While the flaw requires local access for exploitation, its potential impact—DoS, data tampering, and information disclosure—demands immediate action. Affected users should apply patches or migrate to secure versions as soon as possible. Additionally, implementing defensive measures such as network segmentation, physical security, and email best practices can reduce the risk of exploitation.
Organizations are encouraged to stay vigilant, monitor for updates, and follow CISA’s recommended practices for securing industrial control systems. No known public exploitation has been reported yet, but proactive measures are essential to prevent future attacks.
---
References
[^1]: CISA. "[ICSA-25-352-04 Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products](https://www.cisa.gov/news-events/ics-advisories/icsa-25-352-04)". Retrieved 2025-01-24.
[^2]: Mitsubishi Electric. "[Security Advisory 2025-018](https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-018_en.pdf)". Retrieved 2025-01-24.
[^3]: ICONICS. "[Security Vulnerabilities Whitepaper](https://iconics.com/About/Security/CERT)". Retrieved 2025-01-24.
[^4]: NIST. "[CVE-2025-11774 Detail](https://nvd.nist.gov/vuln/detail/CVE-2025-11774)". Retrieved 2025-01-24.