CVE-2024-1573: 
Mitsubishi Electric ICONICS GENESIS64 vulnerability analysis and mitigation

An improper authentication vulnerability (CVE-2024-1573) affects the mobile monitoring feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2, and Mitsubishi Electric MC Works64 all versions. The vulnerability allows a remote unauthenticated attacker to bypass proper authentication and log in to the system under specific conditions (NIST NVD, CISA Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N. The exploitation requires specific conditions to be met simultaneously: Active Directory must be used in the security setting, 'Automatic log in' option must be enabled, the IcoAnyGlass IIS Application Pool must be running under an Active Directory Domain Account, and the IcoAnyGlass IIS Application Pool account must be included in GENESIS64 and MC Works64 Security with login permissions (CISA Advisory).

If successfully exploited, this vulnerability could allow an unauthorized attacker to bypass authentication mechanisms and gain improper access to the system. The impact is primarily focused on integrity (High), while confidentiality and availability are not directly affected according to the CVSS metrics (NIST NVD).

For ICONICS Product Suite, version 10.97.3 and later contain mitigations for this vulnerability. For MC Works64 users, since there are no plans to release a fix version, users should implement the mitigations described in the Mitsubishi Electric security advisory. CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the internet, locating control system networks behind firewalls, and isolating them from business networks (CISA Advisory).