Critical OS Command Injection Vulnerability Hits Mitsubishi Electric Iconics Products (2025)
Executive Summary
In December 2025, Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electric Products disclosed a critical vulnerability (CVE-2025-11774) affecting GENESIS64, ICONICS Suite, MobileHMI, and MC Works64 software. This OS command injection flaw resides in the software keyboard (keypad) function, enabling local attackers to execute arbitrary executable files (.EXE) by tampering with configuration files. If successfully exploited, adversaries could trigger denial-of-service (DoS), information tampering, and unauthorized information disclosure or destruction on systems running these products. A fix is available for most products by upgrading to GENESIS64 v10.97.3 or higher, but MC Works64 users must migrate as no patch is planned.
The incident is significant for the critical manufacturing sector, highlighting persistent risks tied to ICS software supply chains. As attackers increasingly exploit software flaws in operational technology, prompt patching and network segmentation remain vital. This vulnerability’s disclosure underscores the necessity for maintaining robust controls on critical infrastructure endpoints and monitoring for lateral movement threats.
Why This Matters Now
This vulnerability exemplifies the urgent threat to industrial control systems from local privilege escalation via supply-chain software weaknesses. With no patch for certain versions and critical infrastructure at risk, immediate action and layered security measures are imperative to prevent potential exploitation in manufacturing and automation environments.
Attack Path Analysis
An attacker with local access modified the keypad configuration file to inject malicious code, gaining initial execution on the target system. Using this foothold, the attacker leveraged the process context to escalate privileges, gaining broader system access. The attacker then sought to move laterally within the network, potentially accessing other connected assets or services. With persistent access, the attacker established command and control over compromised assets, coordinating further malicious activities. Sensitive data could then be collected and exfiltrated by executing arbitrary code, with outbound traffic potentially used for data transfer. Finally, the attacker impacted the environment through data tampering, disclosure, or causing denial-of-service by executing arbitrary or destructive files.
Kill Chain Progression
Initial Compromise
Description
Attacker tampers with the keypad configuration file on a locally accessible system to facilitate execution of arbitrary code via OS command injection (CVE-2025-11774).
Related CVEs
CVE-2025-11774
CVSS 8.2An OS command injection vulnerability in the keypad function allows local attackers to execute arbitrary executable files, potentially leading to information disclosure, data tampering, or denial-of-service conditions.
Affected Products:
Mitsubishi Electric GENESIS64 – <=10.97.2_CFR3
Mitsubishi Electric ICONICS Suite – <=10.97.2_CFR3
Mitsubishi Electric MobileHMI – <=10.97.2_CFR3
Mitsubishi Electric MC Works64 – all versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Command and Scripting Interpreter
User Execution: Malicious File
System Services: Service Execution
Endpoint Denial of Service
Indicator Removal on Host: File Deletion
Data from Local System
Data Manipulation: Stored Data Manipulation
Exploitation for Credential Access
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Strong Access Controls
Control ID: 2.2.4
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Segmentation and Least Privilege
Control ID: 2.1.3
NIS2 Directive – Technical and Organizational Cybersecurity Measures
Control ID: Article 21
ISO/IEC 27001:2022 – Management of Technical Vulnerabilities
Control ID: A.12.6.1
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical vulnerability in Mitsubishi Electric HMI systems enables OS command injection, threatening manufacturing control systems with DoS, data tampering, and information disclosure.
Automotive
Manufacturing execution systems using affected ICONICS products face operational disruption risks from malicious code execution through compromised software keyboard functions in production environments.
Oil/Energy/Solar/Greentech
Energy infrastructure utilizing Mitsubishi Electric control systems vulnerable to attackers executing arbitrary files, potentially disrupting critical power generation and distribution operations.
Utilities
Power and water utility SCADA systems running vulnerable GENESIS64 software face significant security risks requiring immediate patching to prevent system compromise and service disruption.
Sources
- Mitsubishi Electric Iconics Digital Solutions and Mitsubishi Electrics Productshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-352-04Verified
- Malicious Code Execution Vulnerability in the Software Keyboard Function of GENESIS64, ICONICS Suite, Mobile HMI, and MC Works64https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-018_en.pdfVerified
- CVE-2025-11774 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2025-11774Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying CNSF-aligned controls—such as East-West segmentation, egress policy enforcement, threat detection, and end-to-end encrypted traffic—would have significantly limited the attack surface, reduced lateral exposure, and improved the ability to detect or prevent both command execution and sensitive data loss. Real-time anomaly detection, microsegmentation, and robust outbound filtering would have broken the kill chain at multiple stages.
Control: Threat Detection & Anomaly Response
Mitigation: Real-time alerts trigger on anomalous modification or code execution behavior.
Control: East-West Traffic Security
Mitigation: Segmentation limits attacker's ability to leverage newfound privileges to access critical assets.
Control: Zero Trust Segmentation
Mitigation: Microsegmentation prevents unauthorized lateral movement between workloads.
Control: Inline IPS (Suricata)
Mitigation: Suspicious outbound command and control communications are detected and blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Unauthorized outbound data transfer to external destinations is blocked.
Comprehensive audit trails and centralized visibility enable rapid response and containment.
Impact at a Glance
Affected Business Functions
- Industrial Control Systems
- Manufacturing Operations
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive operational data and system configurations due to unauthorized code execution.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust Segmentation to prevent lateral movement from compromised devices.
- • Deploy anomaly detection and incident response tools to identify unauthorized local file modifications or process behaviors.
- • Apply strict egress filtering and outbound policy enforcement to disrupt data exfiltration and command and control.
- • Leverage inline IPS and encrypted traffic inspection to block known exploit or remote access attempts in real time.
- • Maintain centralized, multi-cloud visibility for rapid threat detection, investigation, and containment of malicious activity.
