Critical SQL Credential Disclosure Vulnerabilities in Mitsubishi Electric GENESIS64 & ICONICS Suite (CVE‑2025‑14815, CVE‑2025‑14816) Threaten Industrial Operations
What It Is – Two high‑severity (CVSS 8.8) flaws in Mitsubishi Electric’s GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, Analytix, MC Works 64 and GENESIS products allow a locally‑authenticated attacker to read clear‑text SQL Server credentials stored by the SQLite caching feature.
Exploitability – The vulnerabilities are exploitable by any user with local access; proof‑of‑concept code has been published and CISA has issued an advisory. No public remote exploits are known yet, but the attack surface is low‑barrier for insiders or compromised workstations.
Affected Products –
- GENESIS64 ≤ 10.97.3
- ICONICS Suite ≤ 10.97.3
- MobileHMI ≤ 10.97.3
- Hyper Historian ≤ 10.97.3
- Analytix ≤ 10.97.3
- MC Works 64 (all versions)
- GENESIS ≤ 11.02
TPRM Impact – These components are widely embedded in critical‑manufacturing and utility control networks. Credential leakage can enable data tampering, unauthorized configuration changes, or denial‑of‑service, creating a supply‑chain risk for any organization that relies on Mitsubishi Electric/ICONICS control software.
Recommended Actions –
- Apply the vendor‑provided patches immediately (or upgrade to the latest supported version).
- Disable the local SQLite caching feature if it is not required for operations.
- Enforce strong, non‑default SQL authentication and rotate any exposed credentials.
- Segment control‑system networks from corporate IT and limit local console access.
- Deploy continuous monitoring for anomalous database queries or credential usage.
Source: CISA Advisory – ICSA‑26‑097‑01