CVE-2022-33318
Description
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric GENESIS32 versions 9.7 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS32 versions 9.7 and prior, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows a remote unauthenticated attacker to execute an arbitrary malicious code by sending specially crafted packets to the GENESIS64, ICONICS Suite, GENESIS32, or MC Works64 server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A remote unauthenticated attacker can execute arbitrary code via deserialization of untrusted data in Mitsubishi Electric GENESIS64, ICONICS Suite, GENESIS32, and MC Works64 servers.
Vulnerability
A deserialization of untrusted data vulnerability (CWE-502) exists in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, including the Iconics Digital Solutions variant, ICONICS Suite versions 10.97 to 10.97.1, including the Iconics Digital Solutions variant, GENESIS32 versions 9.7 and prior, and MC Works64 versions 4.04E and prior [1][2]. The affected components perform deserialization of input without proper validation, allowing an attacker to inject malicious serialized objects.
Exploitation
An attacker can exploit this vulnerability remotely without authentication by sending specially crafted packets to the server [1]. No user interaction or special network position beyond network access to the server is required. The attacker crafts malicious serialized data that, when deserialized by the server, triggers the execution of arbitrary code.
Impact
Successful exploitation allows a remote unauthenticated attacker to execute arbitrary malicious code on the server [1]. This results in full compromise of the confidentiality, integrity, and availability of the affected system, potentially allowing the attacker to take complete control of the server.
Mitigation
Mitsubishi Electric has released updates to address this vulnerability. Users should update GENESIS64 and ICONICS Suite to version 10.97.2 or later, GENESIS32 to version 9.8 or later, and MC Works64 to version 4.05 or later [1]. No workarounds are provided in the available references. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
10- Range: 10.97 to 10.97.1
- Range: 10.97 to 10.97.1
- Range: 4.04E and prior
- Mitsubishi Electric/GENESIS32v5Range: Versions 9.7 and prior
- Mitsubishi Electric/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/GENESIS32v5Range: Versions 9.7 and prior
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/MC Works64v5Range: Versions 4.04E and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU96480474/index.htmlmitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-22-202-04mitregovernment-resource
News mentions
0No linked articles in our index yet.