SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Details Disclosed for SCADA Flaws That Could Facilitate Industrial Attacks

Palo Alto Networks has shared details on several high-severity Mitsubishi Electric and Iconics SCADA vulnerabilities.
ICS and OT security

Palo Alto Networks has disclosed the details of five high-severity vulnerabilities affecting Iconics and Mitsubishi Electric supervisory control and data acquisition (SCADA) products.

Impacted products include Genesis64 and MC Works64. The same vulnerabilities affect both Iconics and Mitsubishi Electric products because the former is part of the latter. 

The SCADA vulnerabilities include DLL hijacking (CVE-2024-1182), incorrect default permission (CVE-2024-7587), uncontrolled search path element (CVE-2024-8299 and CVE-2024-9852), and dead code (CVE-2024-8300) issues.

Exploitation of all these security holes requires authentication, but they can allow attackers who have already gained access to the targeted organization’s systems to execute arbitrary code, elevate privileges, and manipulate critical files.

In a real world attack aimed at industrial systems, an attacker could leverage the SCADA vulnerabilities to cause disruption and in some cases to take full control of a system. 

“In combination, these vulnerabilities pose a risk to the confidentiality, integrity and availability of a system,” the cybersecurity firm warned.

Palo Alto noted that the vulnerabilities could be valuable to attackers considering that the Iconics and Mitsubishi Electric products have hundreds of thousands of installations around the world, including in sectors such as government, military, water, manufacturing, and energy.

The vulnerabilities were discovered by the security firm’s researchers Asher Davila and Malav Vyas in early 2024 in Iconics Suite and Mitsubishi Electric MC Works versions 10.97.2 and 10.97.3 for Windows. Patches and mitigations were released last year.

Advertisement. Scroll to continue reading.

The existence of the security holes came to light in 2024, when the cybersecurity agency CISA and the impacted vendors published advisories and announced patches and mitigations. 

Learn More at SecurityWeek’s ICS Cybersecurity Conference
The leading global conference series for Operations, Control Systems and OT/IT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.
ICS Cybersecurity Conference
October 27-30, 2025 | Atlanta
www.icscybersecurityconference.com

Related: Organizations Still Not Patching OT Due to Disruption Concerns

Related: ICS/OT Security Budgets Increasing, but Critical Areas Underfunded

Related: Free Diagram Tool Aids Management of Complex ICS/OT Cybersecurity Decisions

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

More from

Latest News

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Webinar: Protecting Executives and Enterprises from Digital, Narrative and Physical Attacks
March 12, 2025

Join this in-depth briefing on how to protect executives and the enterprises they lead from the growing convergence of digital, narrative, and physical attacks.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Life360 has appointed Vari Bindra, former Amazon cybersecurity lead, as Chief Information Security Officer.

Forcepoint has appointed Guy Shamilov as CISO, Bakshi Kohli as CTO and Naveen Palavalli as CPO and CMO.

Paul Calatayud has been named CISO of developer security posture management firm Archipelo.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.