Local Authenticated Attacker Can Execute Malicious Code in ICONICS GENESIS64
CVE-2024-8299

7.8HIGH

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Genesis64
Mc Works64
Vendor
CVE Published:
28 November 2024

Summary

The vulnerability allows an authenticated local attacker to execute arbitrary code by placing a specially crafted DLL in a designated folder, potentially leading to data disclosure, modification, destruction, or denial of service within the affected products. The instances involve both ICONICS and Mitsubishi Electric's GENESIS64 and MC Works64 platforms, emphasizing the necessity for review and remediation to secure systems against exploitation.

Affected Version(s)

GENESIS64 all versions

GENESIS64 all versions

MC Works64 all versions

References

https://www.mitsubishielectric.com/en/psirt/vulnerability...
vendor-advisory
https://jvn.jp/vu/JVNVU93891820
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-24-3...
government-resource

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

Credit

Asher Davila of Palo Alto Networks
Malav Vyas of Palo Alto Networks
.