CVE-2022-33320: 
Mitsubishi Electric ICONICS GENESIS64 vulnerability analysis and mitigation

Deserialization of Untrusted Data vulnerability (CVE-2022-33320) affects ICONICS GENESIS64 versions 10.97.1 and prior and Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior. The vulnerability allows an unauthenticated attacker to execute arbitrary malicious code by leading a user to load a project configuration file containing malicious XML codes (CISA Advisory, JVN Advisory).

The vulnerability is classified as CWE-502 (Deserialization of Untrusted Data). It has a CVSS v3.1 base score of 7.8 (High) with the vector string AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The vulnerability exists in the project management functionality of both GENESIS64 and MC Works64 products, where malicious XML code in project configuration files can be executed when loaded (ZDI Advisory, Mitsubishi Advisory).

If successfully exploited, this vulnerability could allow an attacker to execute arbitrary code with the privileges of the current process. This could potentially lead to complete system compromise, including information disclosure, system manipulation, and service disruption (ZDI Advisory).

ICONICS and Mitsubishi Electric have released security updates to address this vulnerability. Users should update to GENESIS64 and MC Works64 version 10.97.2 or later. Until updates can be applied, it is recommended to use firewalls to protect control system networks, isolate them from business networks, and avoid clicking web links or opening unsolicited attachments in email messages (CISA Advisory, Mitsubishi Advisory).