CVE-2022-33320

Published: Jul 20, 2022Modified: Jan 9, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: NVD

Description

Deserialization of Untrusted Data vulnerability in Mitsubishi Electric GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97 to 10.97.1, Mitsubishi Electric ICONICS Suite versions 10.97 to 10.97.1, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97 to 10.97.1, and Mitsubishi Electric MC Works64 versions 4.04E and prior allows an unauthenticated attacker to execute an arbitrary malicious code by leading a user to load a project configuration file including malicious XML codes.

Affected (3)

Products: Iconics: Genesis64 · Mitsubishielectric: Mc Works64

1 product

Mitsubishielectric

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Iconics Genesis64	Version 10.97.1
Iconics Genesis64	Version 10.97

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Mitsubishielectric Mc Works64	Up to 10.95.210.01

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (5)

https://jvn.jp/vu/JVNVU96480474/index.html

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

Third Party Advisory

https://www.cisa.gov/news-events/ics-advisories/icsa-22-202-04

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf

Source: Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp

Third Party Advisory

https://jvn.jp/vu/JVNVU96480474/index.html

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-008_en.pdf

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.