Critical SCADA Vulnerability Exposes Industrial Systems to Potential DoS Attacks
A recently identified medium-severity vulnerability in the Iconics Suite SCADA system poses a significant risk to industrial control systems across various sectors, including automotive, energy, and manufacturing. This flaw, designated as CVE-2025-0921, could enable attackers to initiate denial-of-service (DoS) conditions, potentially disrupting critical industrial operations.
Vulnerability Overview
CVE-2025-0921 arises from an execution-with-unnecessary-privileges weakness found in multiple services within Mitsubishi Electric’s Iconics Digital Solutions GENESIS64. With a Common Vulnerability Scoring System (CVSS) score of 6.5, this vulnerability is classified as medium severity. Successful exploitation allows attackers to misuse privileged file system operations, leading to privilege escalation and corruption of essential system binaries, thereby compromising system integrity and availability.
This vulnerability was discovered during an extensive security assessment conducted by Unit 42 researchers Asher Davila and Malav Vyas in early 2024. It is one of six vulnerabilities identified in Iconics Suite versions 10.97.2 and earlier for Microsoft Windows platforms. The researchers had previously disclosed five related vulnerabilities affecting the same SCADA platform, with CVE-2025-0921 emerging as an additional threat during their investigation.
According to Mitsubishi Electric’s security advisory, the vulnerability impacts all versions of GENESIS64, MC Works64, and GENESIS version 11.00. The Iconics Suite boasts hundreds of thousands of installations across more than 100 countries, encompassing critical infrastructure sectors such as government facilities, military installations, water and wastewater treatment plants, utilities, and energy providers.
Technical Exploitation Details
The vulnerability resides in the Pager Agent component of AlarmWorX64 MMX, the alarm management system responsible for monitoring industrial processes. Attackers with local access can exploit this flaw by manipulating the SMSLogFile path configuration stored in the IcoSetup64.ini file located in the C:\ProgramData\ICONICS directory.
The attack chain involves creating symbolic links from the log file location to target system binaries. When administrators send test messages or the system automatically triggers alerts, the logging information follows the symbolic link and overwrites critical drivers such as cng.sys, which provides cryptographic services for Windows system components.
Upon system reboot, the corrupted driver causes boot failures, trapping the machine in an endless repair loop and rendering the operational technology (OT) engineering workstation inoperable.
Researchers demonstrated that exploitation becomes significantly easier when combined with CVE-2024-7587, a previously disclosed vulnerability in the GenBroker32 installer that grants excessive permissions to the C:\ProgramData\ICONICS directory, allowing any local user to modify critical configuration files. However, attackers could still exploit CVE-2025-0921 independently if log files become writable due to misconfiguration, other vulnerabilities, or social engineering tactics.
Mitigation Measures
Mitsubishi Electric has released patches for GENESIS version 11.01 and later, which customers can download from the Iconics Community Resource Center. For GENESIS64 users, a fixed version is currently under development and will be released in the near future. The vendor has indicated no plans to release patches for MC Works64, requiring customers to implement mitigations in the meantime.
To mitigate the risk associated with this vulnerability, organizations are advised to:
– Apply Patches Promptly: Ensure that all systems are updated with the latest patches provided by Mitsubishi Electric as soon as they become available.
– Restrict Local Access: Limit local access to SCADA systems to authorized personnel only, reducing the risk of exploitation by malicious insiders or compromised accounts.
– Review and Harden Configurations: Regularly audit and harden system configurations to prevent unauthorized modifications to critical files and directories.
– Monitor System Logs: Implement continuous monitoring of system logs to detect and respond to suspicious activities promptly.
– Educate Personnel: Provide training to staff on recognizing and preventing social engineering attacks that could lead to exploitation of vulnerabilities.
Conclusion
The discovery of CVE-2025-0921 underscores the critical importance of securing SCADA systems that form the backbone of industrial operations. Organizations must remain vigilant, apply necessary patches, and implement robust security measures to protect against potential DoS attacks that could disrupt essential services and operations.
