Mitsubishi Electric GENESIS64 and ICONICS Suite products
Mitsubishi Electric GENESIS64 and ICONICS Suite store SQL credentials in plaintext, enabling local credential
Summary
Mitsubishi Electric has disclosed two high-severity vulnerabilities (CVE-2025-14815, CVE-2025-14816) affecting GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, MC Works 64, and GENESIS products. Both flaws involve cleartext storage of SQL Server credentials—one in SQLite cache files and another in GUI display—allowing local attackers to extract credentials and compromise data or cause denial-of-service. Patches are available for most products (v10.98 or v11.03), with MC Works 64 receiving no fix.
Full text
ICS Advisory Mitsubishi Electric GENESIS64 and ICONICS Suite products Release DateApril 07, 2026 Alert CodeICSA-26-097-01 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF Summary Successful exploitation of these vulnerabilities could allow a local attacker to disclose SQL Server credentials used by the affected products and use them to disclose, tamper with, or destroy data, or to cause a denial-of-service (DoS) condition on the system. The following versions of Mitsubishi Electric GENESIS64 and ICONICS Suite products are affected: GENESIS64 <=10.97.3 (CVE-2025-14815, CVE-2025-14816) ICONICS Suite <=10.97.3 (CVE-2025-14815, CVE-2025-14816) MobileHMI <=10.97.3 (CVE-2025-14815, CVE-2025-14816) Hyper Historian <=10.97.3 (CVE-2025-14815, CVE-2025-14816) AnalytiX <=10.97.3 (CVE-2025-14815, CVE-2025-14816) MC Works 64 vers:all/* (CVE-2025-14815, CVE-2025-14816) GENESIS <=11.02 (CVE-2025-14815, CVE-2025-14816) CVSS Vendor Equipment Vulnerabilities v3 8.8 Mitsubishi Electric Mitsubishi Electric GENESIS64 and ICONICS Suite products Cleartext Storage of Sensitive Information, Cleartext Storage of Sensitive Information in GUI Background Critical Infrastructure Sectors: Critical Manufacturing Countries/Areas Deployed: Worldwide Company Headquarters Location: Mitsubishi Electric Iconics Digital Solutions is headquartered in the United States. Mitsubishi Electric is headquartered in Japan. Vulnerabilities Expand All + CVE-2025-14815 When the local caching feature using SQLite is enabled and SQL authentication is used for the SQL Server authentication, the SQL Server credentials are stored in plaintext within the local SQLite file. This results in a vulnerability due to Cleartext Storage of Sensitive Information (CWE 312), which may lead to information disclosure, tampering, or denial of service (DoS). View CVE Details Affected Products Mitsubishi Electric GENESIS64 and ICONICS Suite products Vendor:Mitsubishi Electric Product Version:Mitsubishi Electric GENESIS64: <=10.97.3, Mitsubishi Electric ICONICS Suite: <=10.97.3, Mitsubishi Electric MobileHMI: <=10.97.3, Mitsubishi Electric Hyper Historian: <=10.97.3, Mitsubishi Electric AnalytiX: <=10.97.3, Mitsubishi Electric MC Works 64: vers:all/*, Mitsubishi Electric GENESIS: <=11.02, Mitsubishi Electric Iconics Digital Solutions GENESIS64: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions MobileHMI: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions Hyper Historian: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions AnalytiX: <=10.97.3, Mitsubishi Electric Iconics Digital Solutions GENESIS: <=11.02 Product Status:known_affected Remediations Vendor fixMitsubishi Electric is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf Vendor fixMitsubishi Electric Iconics Digital Solutions is releasing fixed version 10.98 or later for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian and AnalytiX. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".https://iconics.com/about/security/cert Vendor fixMitsubishi Electric is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric security advisory at "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf".https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf Vendor fixMitsubishi Electric Iconics Digital Solutions is releasing fixed version 11.03 or later for GENESIS. Please download the fixed version from the link "https://iconicsinc.my.site.com/community/s/resource-center/product-downloads" and install it. After installation, perform the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". For more information on the fixed version, refer to the Mitsubishi Electric Iconics Digital Solutions whitepaper on security vulnerabilities which can be found at "https://iconics.com/about/security/cert".https://iconics.com/about/security/cert No fix plannedThere are no plans to release fixed version for MC Works64. For users of MC Works64, refer to the Mitsubishi Electric security advisory "https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf", and take the actions described there.https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2025-023.pdf MitigationFor customer of GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". MitigationFor customer of GENESIS that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions recommend performing the following step (1) and (2). (1) In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\11\Cache\*.sqlite3". MitigationFor customer of MC Works 64, Mitsubishi Electric recommends performing the following step (1) and (2). (1)In Workbench, open the “Configure Application(s) Settings” dialog. In the “Available Applications” list, uncheck the “Local Cache” column for applications. (2) Delete the files created by the local cache functionality from "C:\ProgramData\ICONICS\Cache\*.sdf". MitigationFor customers of products that do not have a fixed version or who canno
Indicators of Compromise
- cve — CVE-2025-14815
- cve — CVE-2025-14816