CVE-2025-11774
OS Command Injection in Mitsubishi Electric GENESIS64 Keypad Function
Publication date: 2025-12-19
Last updated on: 2025-12-19
Assigner: Mitsubishi Electric Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mitsubishi_electric | iconics_suite | 10.97.2_cfr3 |
| mitsubishi_electric | mc_works64 | * |
| mitsubishi_electric | mobilehmi | 10.97.2_cfr3 |
| mitsubishi_electric | genesis64 | 10.97.2_cfr3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection flaw in the software keyboard (keypad) function of certain Mitsubishi Electric products. It occurs because special elements used in OS commands are not properly neutralized, allowing a local attacker to tamper with the keypad function's configuration file. When a legitimate user operates the keypad, the attacker can execute arbitrary executable files (EXE) on the affected PC. [1, 2]
How can this vulnerability impact me? :
Exploiting this vulnerability can allow an attacker to execute arbitrary programs on the affected PC, potentially leading to disclosure, tampering, deletion, or destruction of stored information. It can also cause denial-of-service (DoS) conditions on the system, impacting confidentiality, integrity, and availability of data and services. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include: 1. For GENESIS64, ICONICS Suite, and MobileHMI users, update to version 10.97.3 or later, or upgrade to GENESIS V11. 2. For MC Works64 users, migrate to GENESIS64 version 10.97.3 or later as no fixed version will be released. 3. Use affected PCs only within trusted LAN environments and block remote login from untrusted networks, hosts, and users. 4. Employ firewalls or VPNs to restrict unauthorized access and allow remote login only to trusted users. 5. Restrict physical access to affected PCs and their connected networks. 6. Avoid clicking on links or opening attachments from untrusted email sources. 7. Install antivirus software on affected PCs. For further assistance, contact Mitsubishi Electric FA support. [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an attacker to execute arbitrary code on affected systems, potentially leading to disclosure, tampering, deletion, or destruction of sensitive information stored on the PC. Such unauthorized access and manipulation of data can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, exploitation of this vulnerability could compromise compliance with these standards by exposing or altering protected data. [1, 2]