CISA ICSA-22-202-04: Mitsubishi/ICONICS Vulnerabilities (RCE/Path Traversal)

### Key Information #### Summary - **Title**: ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update B) - **Last Revised**: January 15, 2026 - **Alert ID**: ICSA-22-202-04 - **Related Topics**: Industrial Control System Vulnerabilities, Industrial Control Systems #### Vulnerability Description - Successful exploitation of these vulnerabilities could lead to information disclosure, remote code execution, or denial-of-service conditions. #### Affected Versions - GENESIS64: CVE-2022-29834, CVE-2022-33315, CVE-2022-33316, CVE-2022-33317, CVE-2022-33318, CVE-2022-33319, CVE-2022-33320 - ICONICS Suite: CVE-2022-29834, CVE-2022-33315, CVE-2022-33316, CVE-2022-33317, CVE-2022-33318, CVE-2022-33319, CVE-2022-33320 - MC Works64: CVE-2022-29834 - GENESIS32: CVE-2022-33318, CVE-2022-33319 #### Vulnerability Details - **CVSS**: 3.9.8 - **Vendor**: Mitsubishi Electric, Iconics Digital Solutions Inc., Mitsubishi Electric - **Product**: ICONICS Suite and Mitsubishi Electric MC Works64 Products - **Vulnerability Types**: - Improper restriction of path names to restricted directories ('path traversal') - Deserialization of untrusted data - Functionality from untrusted control scope including - Out-of-bounds read #### Background - **Critical Infrastructure Sector**: Critical Manufacturing - **Deployment Regions**: Global - **Company Headquarters Locations**: United States, Japan #### Acknowledgments - Steven Seeley, Alex Birmberg, Ben McBride, Axel '0vercl0k', and Souchet of Trend Micro Zero Day Initiative reported these vulnerabilities to CISA - Chris Anastasio and Noam Moshe of Claroty Research reported these vulnerabilities to CISA #### Recommended Actions - Minimize network exposure of all control system devices and/or systems - Use more secure remote access methods, such as virtual private networks (VPNs) - Perform appropriate impact analysis and risk assessment #### Revision History - **Initial Release Date**: July 26, 2022 - Update A: July 24, 2025 (updated affected vendors, products, versions, CVE scores, and mitigations) - Update B: January 15, 2026 (updated affected products and mitigations) #### Legal Notices and Terms of Use - This product is subject to notices and privacy policies #### Vendors - ICONICS, Mitsubishi Electric #### Related Announcements - AVEVA Process Optimization - Siemens SIMATIC and SIPLUS Products - Siemens TeleControl Server Basic - Siemens RUGGEDCOM ROS

Goal Reached Thanks to every supporter — we hit 100%!

CISA ICSA-22-202-04: Mitsubishi/ICONICS Vulnerabilities (RCE/Path Traversal)

More from this source