CVE-2024-1574: 
Mitsubishi Electric ICONICS GENESIS64 vulnerability analysis and mitigation

CVE-2024-1574 is a Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability affecting the licensing feature of ICONICS GENESIS64 versions 10.97 to 10.97.2, Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.2, and Mitsubishi Electric MC Works64 all versions. The vulnerability was disclosed on July 4, 2024 (NVD, CISA).

The vulnerability is classified as CWE-470 (Use of Externally-Controlled Input to Select Classes or Code) and exists in the licensing service used by ICONICS licensing. It has been assigned a CVSS v3.1 base score of 6.7 MEDIUM with the vector string CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability requires local access, high attack complexity, low privileges, and user interaction to exploit (CISA).

Successful exploitation of this vulnerability could allow a local attacker to execute malicious code with administrative privileges by tampering with a specific file that is not protected by the system. The vulnerability affects critical manufacturing sectors worldwide (CISA).

ICONICS has released version 10.97.3 which contains fixes for this vulnerability. For MC Works64 users, Mitsubishi Electric recommends following the mitigations described in their security advisory as there are no plans to release a fix version. CISA recommends minimizing network exposure for control system devices, ensuring they are not accessible from the internet, and locating control system networks and remote devices behind firewalls isolated from business networks (CISA).