CVE-2020-12013
Description
A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A specially crafted WCF client can inject arbitrary SQL commands into the SCADA system's server, affecting multiple Mitsubishi Electric and ICONICS products.
Vulnerability
This vulnerability, identified as CVE-2020-12013, is a code injection flaw (CWE-94) in the GridWorX server component of Mitsubishi Electric MC Works64 (Version 4.02C (10.95.208.31) and earlier) and MC Works32 (Version 3.00A (9.50.255.02)), and in the FrameWorX Server of ICONICS GENESIS64 (v10.96 and prior) and GENESIS32 (v9.5 and prior). The issue arises from improper control of code generation when a specially crafted WCF client communicates with the affected server, potentially allowing the execution of arbitrary SQL commands [1][2].
Exploitation
To exploit this, an attacker needs network access to the affected server and the ability to send a specially crafted WCF message from a custom client. No authentication or user interaction is required. The attacker crafts a malicious WCF message that triggers the code injection, leading to arbitrary SQL command execution [1][2].
Impact
Successful exploitation could allow an attacker to execute arbitrary SQL commands on the server. This may result in information disclosure, tampering with data, and potentially further compromise of the SCADA system. The CVSS v3 base score for this vulnerability is 9.4 (Critical), with the vector string indicating high impact on confidentiality, integrity, and availability [1][2].
Mitigation
Mitsubishi Electric recommends upgrading MC Works64 to the latest version and MC Works32 to Version 3.00B (9.50.256.01) or later. ICONICS recommends upgrading GENESIS64 to v10.97 or later and GENESIS32 to v9.6 or later. No workarounds are provided in the advisories, and the CISA advisory recommends applying vendor patches as soon as possible [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6<=10.96+ 1 more
- (no CPE)range: <=10.96
- (no CPE)range: v9.5 and prior
- Range: <=4.02C (10.95.208.31)
- ICONICS/GenBroker64, Platform Services, Workbench, FrameWorX Serverv5Range: v10.96 and prior
- Mitsubishi Electric/MC Works32v5Range: Version 3.00A (9.50.255.02)
- Mitsubishi Electric/MC Works64v5Range: Version 4.02C (10.95.208.31) and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- us-cert.cisa.gov/ics/advisories/icsa-20-170-02mitrex_refsource_CONFIRM
- us-cert.cisa.gov/ics/advisories/icsa-20-170-03mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.