CVE-2025-14816
Cleartext SQL Credentials Exposure in Mitsubishi Electric Hyper Historian
Publication date: 2026-04-08
Last updated on: 2026-04-08
Assigner: Mitsubishi Electric Corporation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mitsubishi_electric | genesis64 | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_suite | to 10.97.3 (exc) |
| mitsubishi_electric | mobilehmi | to 10.97.3 (exc) |
| mitsubishi_electric | hyper_historian | to 10.97.3 (exc) |
| mitsubishi_electric | analyti_x | to 10.97.3 (exc) |
| mitsubishi_electric | genesis | to 11.02 (exc) |
| mitsubishi_electric | mc_works64 | * |
| mitsubishi_electric | iconics_digital_solutions_genesis64 | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions_iconics_suite | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions_mobilehmi | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions_hyper_historian | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions_analyti_x | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions_genesis | to 11.02 (exc) |
| mitsubishi_electric | analytix | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions | to 10.97.3 (exc) |
| mitsubishi_electric | iconics_digital_solutions | to 11.02 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-317 | The product stores sensitive information in cleartext within the GUI. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14816 is a critical vulnerability in several Mitsubishi Electric products where SQL Server credentials are displayed in plaintext within the graphical user interface (GUI) of the Hyper Historian Splitter feature when SQL Server authentication uses SQL authentication.
This vulnerability allows a local attacker with access to the system to disclose these credentials, potentially enabling unauthorized access to the SQL Server.
The affected products include GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, MC Works64, and GENESIS in specified versions.
The vulnerability is categorized under CWE-317, which involves cleartext storage of sensitive information in the GUI.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can obtain SQL Server credentials, which may lead to unauthorized access to the SQL Server.
This unauthorized access can result in data disclosure, tampering, destruction, and potentially cause denial-of-service (DoS) conditions on the affected system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves SQL Server credentials being displayed in plaintext within the GUI of the Hyper Historian Splitter feature when SQL Server authentication uses SQL authentication. Detection involves verifying if affected versions of Mitsubishi Electric products are in use and checking the GUI for exposed credentials.
Specific commands to detect this vulnerability are not provided in the available resources. However, general detection steps include:
- Identify if the system is running affected versions of Mitsubishi Electric products such as GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, MC Works64, or GENESIS.
- Check if SQL Server authentication is configured to use SQL authentication rather than Windows authentication.
- Manually inspect the Hyper Historian Splitter GUI for any visible SQL Server credentials displayed in plaintext.
Since the vulnerability is GUI-based, automated network or system commands for detection are not detailed in the resources.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2025-14816 include upgrading affected Mitsubishi Electric products to fixed versions where available and applying recommended security practices.
- Upgrade GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX to ICONICS Suite version 10.98 or later.
- Upgrade GENESIS to version 11.03 or later.
- For MC Works64, since no fixed version is planned, consider migrating to GENESIS64.
- Restrict execution permissions of HHSplitter.exe to trusted administrators or delete the executable if it is not necessary.
- Use Windows authentication instead of SQL authentication for SQL Server to avoid exposure of credentials.
- Restrict PC login to administrators only and use affected products within a secure LAN environment, blocking remote logins from untrusted networks and non-administrators.
- Employ firewalls, VPNs, and restrict remote access to administrators only.
- Limit physical access to affected PCs and their networks.
- Avoid interacting with untrusted email links or attachments.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local attackers to disclose SQL Server credentials displayed in plaintext in the GUI, potentially leading to unauthorized access, data disclosure, tampering, destruction, and denial-of-service conditions.
Such unauthorized access and potential data breaches could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive information and prevention of unauthorized data access.
However, the provided information does not explicitly mention the impact on compliance with these standards or specific regulatory requirements.