CVE-2020-12015

Vulnerability

CVE-2020-12015 is a deserialization of untrusted data vulnerability (CWE-502) in Mitsubishi Electric MC Works64 (version 4.02C and earlier) and MC Works32 (version 3.00A), as well as ICONICS GENESIS64 and GENESIS32 products using GenBroker64, Platform Services, Workbench, FrameWorX Server (version 10.96 and prior) and GenBroker32 (version 9.5 and prior) [1][2]. A specially crafted communication packet sent to the affected platform services causes improper deserialization, leading to a denial-of-service condition.

Exploitation

An attacker can exploit this vulnerability remotely over the network without authentication or user interaction [1][2]. The attack complexity is low, meaning no special conditions are required. The attacker sends a maliciously crafted packet to the target system's platform services, triggering the deserialization flaw.

Impact

Successful exploitation results in a denial-of-service condition, affecting the availability of the system. There is no impact on confidentiality or integrity [1][2]. The CVSS v3 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

Mitigation

Mitsubishi Electric and ICONICS have released advisories through CISA [1][2]. Users should update to the latest versions as specified by the vendors. For Mitsubishi Electric MC Works64, upgrade to version 4.02C or later; for MC Works32, upgrade to version 3.00A or later. For ICONICS products, upgrade to versions beyond 10.96 for GENESIS64 and beyond 9.5 for GENESIS32. If patching is not possible, restrict network access to the affected services and apply firewall rules to limit exposure.