CVE-2025-11774
Unknown Unknown - Not Provided
OS Command Injection in Mitsubishi Electric GENESIS64 Keypad Function

Publication date: 2025-12-19

Last updated on: 2025-12-19

Assigner: Mitsubishi Electric Corporation

Description
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in the software keyboard function (hereinafter referred to as "keypad function") of Mitsubishi Electric GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 CFR3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 CFR3 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 CFR3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 CFR3 and prior, and Mitsubishi Electric MC Works64 all versions allows a local attacker to execute arbitrary executable files (EXE) when a legitimate user uses the keypad function by tampering with the configuration file for the function. This could allow the attacker to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a denial-of-service (DoS) condition on the system, through the execution of the EXE.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-19
Last Modified
2025-12-19
Generated
2026-06-16
AI Q&A
2025-12-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-11774
EUVD
EUVD-2025-204434
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mitsubishi_electric iconics_suite 10.97.2_cfr3
mitsubishi_electric mc_works64 *
mitsubishi_electric mobilehmi 10.97.2_cfr3
mitsubishi_electric genesis64 10.97.2_cfr3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an OS Command Injection flaw in the software keyboard (keypad) function of certain Mitsubishi Electric products. It occurs because special elements used in OS commands are not properly neutralized, allowing a local attacker to tamper with the keypad function's configuration file. When a legitimate user operates the keypad, the attacker can execute arbitrary executable files (EXE) on the affected PC. [1, 2]

Impact Analysis

Exploiting this vulnerability can allow an attacker to execute arbitrary programs on the affected PC, potentially leading to disclosure, tampering, deletion, or destruction of stored information. It can also cause denial-of-service (DoS) conditions on the system, impacting confidentiality, integrity, and availability of data and services. [1, 2]

Mitigation Strategies

Immediate mitigation steps include: 1. For GENESIS64, ICONICS Suite, and MobileHMI users, update to version 10.97.3 or later, or upgrade to GENESIS V11. 2. For MC Works64 users, migrate to GENESIS64 version 10.97.3 or later as no fixed version will be released. 3. Use affected PCs only within trusted LAN environments and block remote login from untrusted networks, hosts, and users. 4. Employ firewalls or VPNs to restrict unauthorized access and allow remote login only to trusted users. 5. Restrict physical access to affected PCs and their connected networks. 6. Avoid clicking on links or opening attachments from untrusted email sources. 7. Install antivirus software on affected PCs. For further assistance, contact Mitsubishi Electric FA support. [1, 2]

Compliance Impact

This vulnerability allows an attacker to execute arbitrary code on affected systems, potentially leading to disclosure, tampering, deletion, or destruction of sensitive information stored on the PC. Such unauthorized access and manipulation of data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing or altering protected data. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11774. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart