Security Experts:

Connect with us

Hi, what are you looking for?



Mitsubishi Patches Vulnerabilities Disclosed at ICS Hacking Contest

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

Mitsubishi Electric and its subsidiary ICONICS have released patches for the vulnerabilities disclosed earlier this year at the Pwn2Own Miami hacking competition, which focused on industrial control systems (ICS).

White hat hackers earned a total of $280,000 for the exploits they demonstrated at the Zero Day Initiative’s Pwn2Own contest in January, including $80,000 for vulnerabilities found in ICONICS’s Genesis64 HMI/SCADA product.

The researchers who successfully hacked the ICONICS product were Pedro Ribeiro and Radek Domanski of Flashback team; Tobias Scharnowski, Niklas Breitfeld and Ali Abbasi from the Horst Goertz Institute for IT-Security; Yehuda Anikster of Claroty; and Steven Seeley and Chris Anastasio of Incite team.

They reported five critical and high-severity vulnerabilities to ICONICS, including ones that allow a remote attacker to execute arbitrary code and launch denial-of-service (DoS) attacks by sending specially crafted packets to the targeted system. One vulnerability can allow an attacker to execute arbitrary SQL commands.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s 2020 ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

The flaws impact Genesis64, Hyper Historian, AnalytiX, MobileHMI, Genesis32 and BizViz. The same vulnerabilities have also been found to impact Mitsubishi’s MC Works64 and MC Works32 SCADA software. Separate advisories have been published for the affected ICONICS and Mitsubishi products by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the vendors.

ZDI told SecurityWeek that it will soon publish advisories for the ICONICS vulnerabilities disclosed at Pwn2Own Miami.

Industrial cybersecurity firm Claroty discovered CVE-2020-12015, a deserialization bug that can be exploited for DoS attacks. This was one of the five vulnerabilities demonstrated by the company at Pwn2Own — the other flaws impacted products from different vendors.

“The ICONICS Genesis64 software is a human-machine interface (HMI) service that allows connectivity and monitoring of many different ‘shop floor’ devices. This product may be used to monitor and control the physical process in different verticals of the automation world. This means that disabling it through a DoS attack may harm the ability to control the process and cause it to shut down,” Nadav Erez, research team lead at Claroty, said via email.

“A Remote Code Execution (RCE) attack on such a service could allow the attacker to alter the values monitored by the engineer, thus also compromising the safety of the process. In all reported vulnerabilities, no authentication was required, and so an attacker with access to the network could exploit them and attack the service,” Erez explained.

Related: Vulnerability in Mitsubishi Controllers Can Allow Hackers to Disrupt Production

Related: Trend Micro OfficeScan Flaw Apparently Exploited in Mitsubishi Electric Hack

Related: Vulnerabilities Found in Mitsubishi Inverter Engineering Software

Related: Flaw Exposes Mitsubishi PLCs to Remote DoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...