Mitsubishi Electric GENESIS64, ICONICS Suite, MobileHMI, and MC Works64 OS Command Injection Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing OS command injection has been identified in the software keyboard function of several Mitsubishi Electric products, including GENESIS64, ICONICS Suite, MobileHMI, and MC Works64. This vulnerability exists in versions through 10.97.2 CFR3. By tampering with the configuration file of the keypad function, a local attacker could execute arbitrary executable files when a legitimate user uses the keyboard function. This exploitation could lead to unauthorized access to information on the user's PC, allowing for data disclosure, modification, deletion, or destruction. Additionally, the executed program could cause a denial-of-service condition on the system.

Impact

Exploitation of this vulnerability could allow for the execution of arbitrary executable files, leading to unauthorized access and manipulation of information on the affected PC, or causing a denial-of-service condition on the system.

Remediation

Users of GENESIS64, ICONICS Suite, or MobileHMI should upgrade to version 10.97.3 and apply the latest patch. For MC Works64, there are no plans to release a fixed version, but users are advised to migrate to GENESIS64 version 10.97.3 or later.