CVE-2022-33316
Description
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious XAML codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Deserialization of untrusted data in Mitsubishi Electric GENESIS64/ICONICS Suite and MC Works64 allows arbitrary code execution via crafted XAML monitoring screens.
Vulnerability
Deserialization of Untrusted Data vulnerability (CWE-502) in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, ICONICS Suite versions 10.97 to 10.97.1, and MC Works64 versions 4.04E and prior. An attacker can embed malicious XAML code in a monitoring screen file that, when loaded by a user, triggers deserialization of untrusted data leading to arbitrary code execution [1][2].
Exploitation
An unauthenticated attacker needs to convince a user to load a specially crafted monitoring screen file containing malicious XAML codes. The file could be delivered via email, network share, or other means. No authentication is required; user interaction is required [1][2].
Impact
Successful exploitation allows arbitrary code execution on the affected system. The attacker gains the ability to execute arbitrary code with the privileges of the user running the monitoring screen application, potentially leading to full compromise of the workstation and/or server [1][2].
Mitigation
As of the advisory dates (July 2022), Mitsubishi Electric has not released patches for this vulnerability. Users are advised to apply mitigations recommended in the CISA advisory, such as restricting network access, using firewalls, and implementing application whitelisting. Affected versions: GENESIS64/ICONICS Suite 10.97 to 10.97.1, MC Works64 <=4.04E [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- Range: >=10.97 <=10.97.1
- Range: >=10.97 <=10.97.1
- Range: <=4.04E
- Mitsubishi Electric/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/MC Works64v5Range: Versions 4.04E and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU96480474/index.htmlmitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-22-202-04mitregovernment-resource
News mentions
0No linked articles in our index yet.