CVE-2022-33317
Description
Inclusion of Functionality from Untrusted Control Sphere vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a monitoring screen file including malicious script codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can execute arbitrary code by tricking a user into loading a malicious monitoring screen file in Mitsubishi GENESIS64, ICONICS Suite, and MC Works64.
Vulnerability
This vulnerability is an Inclusion of Functionality from Untrusted Control Sphere (CWE-829) affecting Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior [1][2]. The flaw allows an unauthenticated attacker to execute arbitrary malicious code by convincing a user to load a monitoring screen file that includes malicious script code from an untrusted source.
Exploitation
To exploit this vulnerability, an attacker must craft a malicious monitoring screen file that incorporates script from an untrusted control sphere. The attacker then socially engineers a user to open this file within the affected application. No authentication is required, and the attacker does not require network access beyond delivering the file to the user [1][2].
Impact
Successful exploitation results in arbitrary code execution in the context of the affected application. This can lead to full system compromise, including information disclosure, data modification, or denial of service [1][2].
Mitigation
Mitsubishi Electric has released fixes: for GENESIS64 and ICONICS Suite, update to version 10.97.2 or later; for MC Works64, update to version 4.04F or later [1][2]. Users should contact Mitsubishi Electric Iconics Digital Solutions or Mitsubishi Electric for updates. As a workaround, avoid opening monitoring screen files from untrusted sources until the patch is applied [1][2].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
7- Range: 10.97 to 10.97.1
- Range: <= 4.04E
- Mitsubishi Electric/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/MC Works64v5Range: Versions 4.04E and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU96480474/index.htmlmitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-22-202-04mitregovernment-resource
News mentions
0No linked articles in our index yet.