CISA ICSA-22-202-04: Mitsubishi/ICONICS Vulnerabilities (RCE/Path Traversal)

Key Information Summary Title: ICONICS Suite and Mitsubishi Electric MC Works64 Products (Update B) Last Revised: January 15, 2026 Alert ID: ICSA-22-202-04 Related Topics: Industrial Control System Vulnerabilities, Industrial Control Systems Vulnerability Description Successful exploitation of these vulnerabilities could lead to information disclosure, remote code execution, or denial-of-service conditions. Affected Versions GENESIS64: CVE-2022-29834, CVE-2022-33315, CVE-2022-33316, CVE-2022-33317, CVE-2022-33318, CVE-2022-33319, CVE-2022-33320 ICONICS Suite: CVE-2022-29834, CVE-2022-33315, CVE-2022-33316, CVE-2022-33317, CVE-2022-33318, CVE-2022-33319, CVE-2022-33320 MC Works64: CVE-2022-29834 GENESIS32: CVE-2022-33318, CVE-2022-33319 Vulnerability Details CVSS: 3.9.8 Vendor: Mitsubishi Electric, Iconics Digital Solutions Inc., Mitsubishi Electric Product: ICONICS Suite and Mitsubishi Electric MC Works64 Products Vulnerability Types: - Improper restriction of path names to restricted directories ('path traversal') - Deserialization of untrusted data - Functionality from untrusted control scope including - Out-of-bounds read Background Critical Infrastructure Sector: Critical Manufacturing Deployment Regions: Global Company Headquarters Locations: United States, Japan Acknowledgments Steven Seeley, Alex Birmberg, Ben McBride, Axel '0vercl0k', and Souchet of Trend Micro Zero Day Initiative reported these vulnerabilities to CISA Chris Anastasio and Noam Moshe of Claroty Research reported these vulnerabilities to CISA Recommended Actions Minimize network exposure of all control system devices and/or systems Use more secure remote access methods, such as virtual private networks (VPNs) Perform appropriate impact analysis and risk assessment Revision History Initial Release Date: July 26, 2022 - Update A: July 24, 2025 (updated affected vendors, products, versions, CVE scores, and mitigations) - Update B: January 15, 2026 (updated affected products and mitigations) Legal Notices and Terms of Use This product is subject to notices and privacy policies Vendors ICONICS, Mitsubishi Electric Related Announcements AVEVA Process Optimization Siemens SIMATIC and SIPLUS Products Siemens TeleControl Server Basic Siemens RUGGEDCOM ROS

Goal Reached Thanks to every supporter — we hit 100%!

CISA ICSA-22-202-04: Mitsubishi/ICONICS Vulnerabilities (RCE/Path Traversal)

More from this source