CVE-2024-1573 in ICONICSinfo

Summary

by MITRE • 07/04/2024

Missing Authentication for Critical Function vulnerability in the mobile monitoring feature of Mitsubishi Electric GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Hyper Historian versions 10.97.2 and prior, Mitsubishi Electric AnalytiX versions 10.97.2 and prior, Mitsubishi Electric MobileHMI versions 10.97.2 and prior, Mitsubishi Electric IoTWorX version 10.95, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.2 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.2 and prior, and Mitsubishi Electric Iconics Digital Solutions IoTWorX version 10.95 allows a remote unauthenticated attacker to bypass proper authentication and log in to the system when all of the following conditions are met: (1) Active Directory is used in the security setting (2) "Automatic log in" option is enabled in the security setting (3) The IcoAnyGlass IIS Application Pool is running under an Active Directory Domain Account. (4) The IcoAnyGlass IIS Application Pool account is included in GENESIS64, ICONCIS Suite, and MC Works64 Security and has permission to log in.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 04/15/2026

The vulnerability described in CVE-2024-1573 represents a critical authentication bypass flaw affecting multiple Mitsubishi Electric industrial software products including GENESIS64, ICONICS Suite, Hyper Historian, AnalytiX, MobileHMI, and IoTWorX across various versions. This weakness falls under the CWE-287 category of "Improper Authentication" and specifically manifests as a missing authentication for critical functions within the mobile monitoring feature of these industrial control systems. The vulnerability creates a significant security risk by allowing remote attackers to gain unauthorized access to critical system functions without proper authentication credentials.

The technical exploitation of this vulnerability requires specific environmental conditions to be met, creating a multi-factor attack vector that must be carefully analyzed. The attack scenario necessitates that Active Directory be configured as the security mechanism within the system, which is common in enterprise industrial environments. Additionally, the "Automatic log in" option must be enabled in security settings, a configuration that may be implemented for operational convenience but creates security risks. The attack also requires that the IcoAnyGlass IIS Application Pool operates under an Active Directory Domain Account, which is a typical configuration for web applications in enterprise environments. Most critically, the application pool account must be included in the security configuration of GENESIS64, ICONICS Suite, and MC Works64 with appropriate login permissions, creating a chain of dependencies that must all align for successful exploitation.

The operational impact of this vulnerability extends beyond simple unauthorized access, potentially compromising entire industrial control systems. In industrial environments where these Mitsubishi Electric products are deployed, unauthorized access to mobile monitoring features could enable attackers to manipulate critical process data, disrupt operations, or gain deeper access to the industrial network infrastructure. The vulnerability particularly affects environments where industrial systems are connected to corporate networks and utilize Active Directory for identity management, which is standard practice in large industrial facilities. This creates a risk profile that aligns with ATT&CK technique T1078.004 for Valid Accounts and T1566.001 for Phishing, as attackers could potentially leverage this vulnerability to establish persistent access within industrial control systems.

The security implications of CVE-2024-1573 are particularly concerning given that it affects multiple products within the same vendor ecosystem, suggesting a systemic configuration issue rather than isolated product flaws. This vulnerability demonstrates how seemingly minor configuration settings like automatic login can create substantial security gaps when combined with other system characteristics. The attack requires specific prerequisites that make it less likely to be exploited broadly but still poses significant risk to organizations with the specific combination of configuration settings. Organizations should immediately review their Active Directory configurations and security settings to ensure that automatic login features are disabled unless absolutely necessary for operational requirements. The vulnerability also highlights the importance of proper privilege separation and the principle of least privilege in industrial control environments, where system accounts should not have unnecessary administrative permissions.

Mitigation strategies for this vulnerability should focus on immediate configuration changes and long-term security hardening measures. Organizations must disable the automatic login feature in all affected systems and implement proper authentication controls for mobile monitoring access. The IIS Application Pool accounts should be configured with minimal required permissions and should not be granted unnecessary access to industrial control system functions. Regular security audits should be conducted to identify and remediate similar configuration issues across the industrial network infrastructure. Additionally, organizations should implement network segmentation to limit lateral movement capabilities and deploy monitoring solutions to detect unauthorized access attempts. The vulnerability serves as a reminder of the critical importance of proper authentication controls in industrial environments, particularly when mobile access features are implemented, and underscores the need for comprehensive security assessments of industrial control system configurations.

Disclosure

07/04/2024

Moderation

accepted

CPE

ready

EPSS

0.00593

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!