Privileged File System Vulnerability Present in a SCADA System
Summary:
CVE-2025-0921 is a medium-severity vulnerability (CVSS 6.5) involving "Execution with Unnecessary Privileges" within the ICONICS Suite and various Mitsubishi Electric industrial software products, including GENESIS64 and MC Works64. The flaw resides in several services, most notably the Pager Agent within the AlarmWorX64 MMX component. It occurs when privileged services interact with file system operations, such as logging, without adequate access controls.
A local, low-privileged attacker can exploit this by manipulating configuration files (like IcoSetup64[.]ini) to change log file paths. By creating a specially crafted symbolic link (symlink) from the application's write destination to a sensitive system file, the attacker can force the high-privileged service to overwrite or destroy critical system binaries.
Security Officer Comments:
The primary impact of this vulnerability is a significant risk to the integrity and availability of Supervisory Control and Data Acquisition (SCADA) systems. Because the affected services run with elevated system privileges, an attacker can redirect file writes to corrupt essential Windows components, such as the cng[.]sys driver.
Such corruption typically results in a permanent Denial-of-Service (DoS) condition, often trapping the affected workstation in an endless "Blue Screen of Death" (BSOD) or repair loop upon reboot. In an Operational Technology (OT) environment, this can lead to the total loss of visibility and control over industrial processes in sectors like energy, manufacturing, and water treatment. While the attack requires local access, it can be combined with other vulnerabilities to achieve full system compromise.
Suggested Corrections:
Mitsubishi Electric and Unit 42 recommend a multi-layered approach to mitigation.
Link(s):
https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/
CVE-2025-0921 is a medium-severity vulnerability (CVSS 6.5) involving "Execution with Unnecessary Privileges" within the ICONICS Suite and various Mitsubishi Electric industrial software products, including GENESIS64 and MC Works64. The flaw resides in several services, most notably the Pager Agent within the AlarmWorX64 MMX component. It occurs when privileged services interact with file system operations, such as logging, without adequate access controls.
A local, low-privileged attacker can exploit this by manipulating configuration files (like IcoSetup64[.]ini) to change log file paths. By creating a specially crafted symbolic link (symlink) from the application's write destination to a sensitive system file, the attacker can force the high-privileged service to overwrite or destroy critical system binaries.
Security Officer Comments:
The primary impact of this vulnerability is a significant risk to the integrity and availability of Supervisory Control and Data Acquisition (SCADA) systems. Because the affected services run with elevated system privileges, an attacker can redirect file writes to corrupt essential Windows components, such as the cng[.]sys driver.
Such corruption typically results in a permanent Denial-of-Service (DoS) condition, often trapping the affected workstation in an endless "Blue Screen of Death" (BSOD) or repair loop upon reboot. In an Operational Technology (OT) environment, this can lead to the total loss of visibility and control over industrial processes in sectors like energy, manufacturing, and water treatment. While the attack requires local access, it can be combined with other vulnerabilities to achieve full system compromise.
- Critical Manufacturing is the most highly represented sector. Companies using these tools for factory automation, assembly line monitoring, and production management are at risk.
- Energy and Utilities widely use this to monitor power generation and resource distribution.
- Data Center infrastructure managers who use ICONICS for DCIM (Data Center Infrastructure Management) to monitor power and cooling.
- MSPs often use Remote Monitoring and Management (RMM) tools or VPNs to maintain client SCADA systems. If an attacker gains a foothold on a client's HMI via an MSP's remote access tool, they can use CVE-2025-0921 to escalate from a low-level remote user to SYSTEM privileges.
Suggested Corrections:
Mitsubishi Electric and Unit 42 recommend a multi-layered approach to mitigation.
- For users of GENESIS, upgrading to version 11.01 or later provides a definitive fix; for version 11.00 users, the "Classic OPC Point Manager" service should remain disabled as it is a known vector.
- For legacy products like GENESIS32 and BizViz, which have reached the end of their lifecycle and will not receive patches, organizations are strongly urged to migrate to supported versions of GENESIS64.
Link(s):
https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/