Information Disclosure, Information Tampering and Denial of Service (DoS) Vulnerability in GENESIS64, ICONICS Suite, MC Works64, and GENESIS32
Description
Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric GENESIS32 versions 9.70.300.23 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS32 versions 9.70.300.23 and prior, and Mitsubishi Electric MC Works64 all versions allows a local authenticated attacker to disclose or tamper with confidential information and data contained in the products, or cause a denial of service (DoS) condition on the products, by accessing a folder with incorrect permissions, when GenBroker32 is installed on the same PC as GENESIS64, ICONICS Suite, MC Works64, or GENESIS32.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect default permissions in GenBroker32 installer allow local authenticated attackers to access sensitive data or cause DoS in multiple Mitsubishi Electric products.
Vulnerability
Incorrect default permissions (CWE-276) exist on the C:\ProgramData\ICONICS folder when the GenBroker32 component, bundled with the installers for Mitsubishi Electric GENESIS64, ICONICS Suite, MC Works64, and GENESIS32, is installed on the same PC. Affected versions include GENESIS64 and ICONICS Suite up to version 10.97.3, GENESIS32 up to version 9.70.300.23, and all versions of MC Works64. [1][2]
Exploitation
A local authenticated attacker can access the C:\ProgramData\ICONICS folder due to its incorrect permissions. No additional privileges beyond local access are required. The attacker can read, modify, or delete files within this folder, potentially causing a denial of service by corrupting critical data. [1]
Impact
Successful exploitation allows the attacker to disclose confidential information, tamper with data, or cause a denial of service (DoS) condition on the affected products. The attacker gains access at the privilege level of the local user account used to access the folder. [2]
Mitigation
For GENESIS64 and ICONICS Suite version 10.97.3 users, apply the security update from the ICONICS Community Portal after uninstalling GenBroker32 and reinstalling it [1]. For GENESIS32 and MC Works64, no fixes are planned; GENESIS32 has reached end-of-life, and MC Works64 users should follow the advisory [2]. No workaround has been provided for unfixed versions.
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
11<=10.97.3+ 1 more
- (no CPE)range: <=10.97.3
- (no CPE)range: Versions 10.97.3 and prior
<=10.97.3+ 1 more
- (no CPE)range: <=10.97.3
- (no CPE)range: Versions 10.97.3 and prior
(expand)+ 1 more
- (no CPE)
- (no CPE)range: All versions
- Mitsubishi Electric Corporation/GENESIS32v5Range: Versions 9.70.300.23 and prior
- Mitsubishi Electric Iconics Digital Solutions/GENESIS32v5Range: Versions 9.70.300.23 and prior
- Mitsubishi Electric Iconics Digital Solutions/GENESIS64v5Range: Versions 10.97.3 and prior
- Mitsubishi Electric Iconics Digital Solutions/ICONICS Suitev5Range: Versions 10.97.3 and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2024-008_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU95548104mitregovernment-resource
- www.cisa.gov/news-events/ics-advisories/icsa-24-296-01mitregovernment-resource
News mentions
0No linked articles in our index yet.