CVE-2022-23130
Description
Buffer Over-read vulnerability in Mitsubishi Electric MC Works64 versions 4.00A to 4.04E, Mitsubishi Electric GENESIS64 versions 10.97 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 and prior, Mitsubishi Electric ICONICS Suite versions 10.97 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 and prior, Mitsubishi Electric GENESIS32 versions 9.7 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS32 versions 9.7 and prior allows an attacker to cause a DoS condition in the database server by getting a legitimate user to import a configuration file containing specially crafted stored procedures into GENESIS64, ICONICS Suite, MC Works64, or GENESIS32 and execute commands against the database from GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Buffer over-read in Mitsubishi Electric SCADA products allows DoS via specially crafted stored procedures.
Vulnerability
A buffer over-read vulnerability (CWE-126) exists in the database server component of Mitsubishi Electric GENESIS64, ICONICS Suite, MC Works64, and GENESIS32 when processing stored procedures. The affected versions are: - GENESIS64 ≤ 10.97 - ICONICS Suite ≤ 10.97 - MC Works64 4.00A to 4.04E - GENESIS32 ≤ 9.7
A legitimate user must import a configuration file containing specially crafted stored procedures into the product and then execute commands against the database from the affected software [1][2].
Exploitation
The attacker must have network adjacency to the target system (CVSSv3 vector AV:A) and requires high privileges with user interaction. The attack complexity is high. The exploitation sequence is: the attacker crafts a configuration file with malicious stored procedures, convinces a legitimate user to import it into the SCADA product, and then waits for the user to execute database commands from the affected software. The buffer over-read occurs when the database server processes the malicious stored procedures [1][2].
Impact
Successful exploitation causes a denial-of-service (DoS) condition in the database server (SQL Server), potentially disrupting SCADA operations. The CVSSv3.1 score is 5.9 (Medium) with availability impact rated as high, while integrity impact is low and confidentiality impact is none [1][2].
Mitigation
Mitsubishi Electric has released updates to address this vulnerability. For GENESIS64 and ICONICS Suite, update to a version later than 10.97. For MC Works64, update beyond version 4.04E. For GENESIS32, update beyond version 9.7. Refer to the vendor's advisory for specific patch details [2]. If immediate patching is not possible, restrict network access to affected systems and avoid importing configuration files from untrusted sources.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10<=10.97+ 1 more
- (no CPE)range: <=10.97
- (no CPE)range: Versions 10.97 and prior
<=10.97+ 1 more
- (no CPE)range: <=10.97
- (no CPE)range: Versions 10.97 and prior
>=4.00A, <=4.04E+ 1 more
- (no CPE)range: >=4.00A, <=4.04E
- (no CPE)range: Versions 4.00A to 4.04E
- Mitsubishi Electric Corporation/GENESIS32v5Range: Versions 9.7 or prior
- Mitsubishi Electric Iconics Digital Solutions/GENESIS32v5Range: Versions 9.7 or prior
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 and prior
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-028_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU95403720/index.htmlmitregovernment-resource
- us-cert.cisa.gov/ics/advisories/icsa-22-020-01mitregovernment-resource
News mentions
0No linked articles in our index yet.