CVE-2022-33320
Description
Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated attacker can achieve remote code execution by loading a malicious project configuration file with crafted XML into Mitsubishi Electric GENESIS64, ICONICS Suite, or MC Works64.
Vulnerability
This is a deserialization of untrusted data vulnerability (CWE-502) affecting Mitsubishi Electric GENESIS64 versions 10.97 through 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 through 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 through 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 through 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior [1][2]. The flaw resides in the project configuration file parser. When a user loads a specially crafted project configuration file containing malicious XML codes, the software deserializes untrusted data without proper validation, leading to arbitrary code execution.
Exploitation
An unauthenticated attacker must convince a user to load a malicious project configuration file [1]. No authentication or special network position is required beyond delivering the file to the targeted user. The attacker crafts a project configuration file embedding malicious XML serialized data. If the victim opens this file within the affected product, the deserialization triggers execution of the attacker’s code.
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary malicious code on the affected system [1]. This can lead to full compromise of the confidentiality, integrity, and availability of the application and underlying host. The attacker gains the same privileges as the user running the affected software, which in industrial control environments may be a highly privileged account.
Mitigation
Mitsubishi Electric recommends updating GENESIS64 and ICONICS Suite to version 10.98 or later, and MC Works64 to version 4.05 or later [1]. For affected products where no patch is available, users should follow the workarounds described in the vendor advisory, including restricting network exposure and ensuring project files are obtained from trusted sources only [1][2]. This vulnerability is not known to be in CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
8- Range: >= 10.97 <= 10.97.1
- Range: >= 10.97 <= 10.97.1
- Range: <= 4.04E
- Mitsubishi Electric/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/ICONICS Suitev5Range: Versions 10.97 to 10.97.1
- Mitsubishi Electric/MC Works64v5Range: Versions 4.04E and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU96480474/index.htmlmitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-22-202-04mitregovernment-resource
News mentions
0No linked articles in our index yet.