Full Report
We detail our discovery of CVE-2025-0921. This privileged file system flaw in SCADA system Iconics Suite could lead to a denial-of-service (DoS) attack. The post Privileged File System Vulnerability Present in a SCADA System appeared first on Unit 42.
Analysis Summary
# Vulnerability: Privileged File System Flaw in ICONICS Suite (DoS)
## CVE Details
- **CVE ID:** CVE-2025-0921
- **CVSS Score:** 6.5 (Medium)
- **CWE:** CWE-73 (External Control of File Name or Path) / CWE-281 (Improper Preservation of Permissions)
## Affected Systems
- **Products:** ICONICS Suite, Mitsubishi Electric GeneXus Configuration Tool, and Mitsubishi Electric MC Works64.
- **Versions:**
- ICONICS Suite: Versions 10.96.4 and prior.
- MC Works64: Versions 4.04E (10.95.210.01) and prior.
- **Configurations:** Systems where the ICONICS Suite services are running with high privileges (e.g., SYSTEM).
## Vulnerability Description
The vulnerability stems from an insecure file system operation within the ICONICS Suite. A low-privileged user can manipulate file paths or symbolic links used by a privileged service. Specifically, a privileged process improperly handles file permissions or paths when performing maintenance or log rotations. An attacker can use this to redirect a file operation to a critical system file, causing the privileged service to modify or delete it, ultimately leading to a Denial-of-Service (DoS) condition by crashing the SCADA application or the underlying OS.
## Exploitation
- **Status:** PoC available (detailed in research findings); No known exploitation in the wild at this time.
- **Complexity:** Low to Medium
- **Attack Vector:** Local (Requires the attacker to have local access to the system to create symbolic links or manipulate local paths).
## Impact
- **Confidentiality:** None
- **Integrity:** Medium (Unauthorized modification of system files)
- **Availability:** High (Can lead to complete service or system failure)
## Remediation
### Patches
- **ICONICS:** Update to ICONICS Suite v10.96.5 or apply the latest critical fixes provided by the vendor.
- **Mitsubishi Electric:** Refer to the Mitsubishi Electric advisory for MC Works64 updates corresponding to the patched ICONICS core.
### Workarounds
- Restrict physical and remote interactive login access to SCADA workstations to authorized personnel only.
- Implement the principle of least privilege (PoLP) and ensure low-privileged users cannot write to directories used by high-privileged services.
## Detection
- **Indicators of Compromise:** Unexpected modifications to system file permissions or the presence of suspicious symbolic links (junctions) in application log directories.
- **Detection methods and tools:**
- Monitor for File System events (ETW or Sysmon) tracking `cmd.exe` or `powershell.exe` creating symbolic links/junctions.
- Use Process Monitor (ProcMon) to identify privileged services attempting to access user-writable locations.
## References
- **Vendor Advisory (Mitsubishi):** hxxps[://]www[.]mitsubishielectric[.]com/en/capabilities/it/security/advisories/index[.]html
- **Unit 42 Research:** hxxps[://]unit42[.]paloaltonetworks[.]com/privileged-file-system-vulnerability-scada-system/
- **CISA Advisory:** hxxps[://]www[.]cisa[.]gov/news-events/ics-advisories/ [Search for CVE-2025-0921]