CVE-2022-33315
Description
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deserialization of untrusted data in Mitsubishi Electric GENESIS64, ICONICS Suite, and MC Works64 allows unauthenticated remote code execution via a malicious monitoring screen file.
Vulnerability
Deserialization of untrusted data vulnerability exists in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, ICONICS Suite versions 10.97 to 10.97.1, and MC Works64 versions 4.04E and prior [1][2]. The vulnerability occurs when a user loads a monitoring screen file containing malicious XAML codes, which are deserialized without proper validation.
Exploitation
An unauthenticated attacker can exploit this vulnerability by crafting a malicious monitoring screen file with embedded XAML payloads and convincing a user to open it in the affected software [1]. No authentication or special network access is required; the attacker only needs to deliver the file to the user (e.g., via email or download).
Impact
Successful exploitation allows the attacker to execute arbitrary code on the target system with the privileges of the user running the software [1][2]. This can lead to full compromise of the affected workstation or server, including data theft, system modification, or further lateral movement.
Mitigation
Mitsubishi Electric has released updates to address this vulnerability; users should contact the vendor for specific fixed version numbers [1][2]. As a workaround, avoid opening monitoring screen files from untrusted sources. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the advisory date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- Range: 10.97 to 10.97.1
- Range: 10.97 to 10.97.1
- Range: <=4.04E
- Mitsubishi Electric/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/MC Works64v5Range: Versions 4.04E and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU96480474/index.htmlmitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-22-202-04mitregovernment-resource
News mentions
0No linked articles in our index yet.