Mitsubishi Electric ICS Vulnerabilities Expose SQL Credentials

High-Severity Vulnerabilities in Mitsubishi Electric ICS Products Threaten Critical Manufacturing

CISA has published an advisory detailing high-severity vulnerabilities in several Mitsubishi Electric GENESIS64 and ICONICS Suite products, widely deployed in Critical Manufacturing and other industrial sectors globally. These flaws, identified as CVE-2025-14815 and CVE-2025-14816, could allow a local attacker to disclose sensitive SQL Server credentials. Successful exploitation could lead to information disclosure, data tampering, or a denial-of-service (DoS) condition on affected systems, posing a significant risk to industrial control system (ICS) environments. This intelligence is crucial for security professionals managing industrial operations and highlights the ongoing need for rigorous security practices in operational technology (OT) environments.

Technical Details on Mitsubishi Electric ICS Vulnerabilities

Both CVEs carry a CVSS v3.1 base score of 8.8 (High Severity), indicating a substantial risk, even if requiring local access. The primary concern revolves around the cleartext storage and display of SQL Server authentication credentials.

1. CVE-2025-14815: Cleartext Storage of Sensitive Information (CWE-312) This vulnerability occurs when the local caching feature using SQLite is enabled and SQL authentication is configured for SQL Server. In this scenario, SQL Server credentials are stored in plaintext within the local SQLite database file. A local attacker gaining access to the system where the affected product is installed could easily retrieve these credentials, leading to unauthorized access to the connected SQL Server database. This can enable information disclosure, data tampering, or a denial-of-service condition affecting the database.

2. CVE-2025-14816: Cleartext Storage of Sensitive Information in GUI (CWE-317) Specific to the Hyper Historian Splitter feature within the affected products, this vulnerability exposes SQL Server credentials in plain text directly within the Graphical User Interface (GUI) when SQL authentication is used. Any user with local GUI access could view these credentials, again enabling unauthorized access to the SQL Server with similar potential impacts.

Affected Products and Versions:

• GENESIS64: <=10.97.3
• ICONICS Suite: <=10.97.3
• MobileHMI: <=10.97.3
• Hyper Historian: <=10.97.3
• AnalytiX: <=10.97.3
• MC Works64: All versions (No fix planned)
• GENESIS: <=11.02

The vulnerabilities affect products from both Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions. Analyzing CVE-2025-14815 impact on ICONICS Suite highlights the broad implications for industrial control systems that rely on these widely deployed software suites.

Actionable Recommendations and Mitigations

Defenders must prioritize addressing these vulnerabilities to secure their industrial environments. According to CISA’s advisory, the most effective remediation involves applying vendor-provided patches and implementing strong mitigation strategies.

Vendor Fixes:

• For GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX: Update to version 10.98 or later.
• For GENESIS: Update to version 11.03 or later.
• Post-Update Steps for CVE-2025-14815 (Applies after updating):
  1. In Workbench, open “Configure Application(s) Settings” and uncheck the “Local Cache” column for applications.
  2. Delete local cache files from C:\ProgramData\ICONICS\Cache\*.sdf (for v10.97.3 and earlier) or C:\ProgramData\ICONICS\11\Cache\*.sqlite3 (for GENESIS v11.02 and earlier).
• For MC Works64: There are currently no plans for a fixed version. Users must apply the recommended mitigations below.

General Mitigations for Mitsubishi Electric GENESIS64 10.97.3 patch guidance and other affected products:

For systems where immediate patching is not possible, or for MC Works64 users:

• Authentication Method: Use Windows authentication instead of SQL authentication for SQL Server connections to minimize the risk of cleartext credential exposure.
• Least Privilege: Configure PCs with affected products so that only administrators can log in. Restrict execution of HHSplitter.exe to trusted administrators only, and delete HHSplitter.exe if it is unnecessary (for CVE-2025-14816).
• Network Segmentation: Deploy control system networks and remote devices behind firewalls and isolate them from business networks. This is a fundamental aspect of how to mitigate cleartext credential storage in ICONICS Suite and similar products.
• Secure Remote Access: If remote access is required, utilize secure methods such as Virtual Private Networks (VPN) and ensure they are updated to the latest versions. Block remote login from untrusted networks, hosts, and non-administrator users.
• Physical Security: Restrict physical access to PCs running affected products and their connected networks.
• User Awareness: Prevent users from clicking on web links or opening attachments from untrusted sources in emails, as this could be a vector for initial local access.

CISA emphasizes the importance of conducting proper impact analysis and risk assessment before deploying any defensive measures. Organizations should also refer to CISA’s broader recommendations for control systems security, including defense-in-depth strategies and targeted cyber intrusion detection. Staying vigilant and implementing a comprehensive security posture is paramount in protecting critical infrastructure from evolving threats.