SCADA Vulnerability – CVE-2025-0921 Triggers DoS in Industrial Operations

February 1, 2026 Faeem BLOGS 0

A newly disclosed medium-severity vulnerability (CVE-2025-0921) in the Mitsubishi Electric Iconics Suite SCADA system could allow attackers to trigger denial-of-service (DoS) conditions on critical industrial control systems.

Vulnerability Overview

  • CVE ID: CVE-2025-0921
  • Severity: CVSS 6.5 (Medium)
  • Affected Products: GENESIS64, MC Works64, GENESIS v11.00
  • Root Cause: Execution with unnecessary privileges in multiple services.
  • Impact: Attackers can misuse privileged file system operations to elevate privileges, corrupt binaries, and disrupt system availability.
  • Discovery: Unit 42 researchers (Asher Davila, Malav Vyas) during a 2024 assessment.
  • Scope: Hundreds of thousands of installations across government, military, utilities, energy, and manufacturing sectors in 100+ countries.

Technical Exploitation Details

  • Vulnerability resides in Pager Agent (AlarmWorX64 MMX).
  • Attackers with local access can manipulate the SMSLogFile path in IcoSetup64.ini (C:\ProgramData\ICONICS).
  • Exploit chain:
    1. Create symbolic links from log file location → system binaries.
    2. Logging events overwrite critical drivers (e.g., cng.sys, Windows cryptographic driver).
    3. On reboot → corrupted driver causes endless repair loop, rendering OT workstations inoperable.
  • Easier exploitation when combined with CVE-2024-7587 (GenBroker32 installer flaw granting excessive permissions).
  • Independent exploitation possible via misconfiguration or social engineering.

Potential Impact

  • DoS conditions on SCADA workstations.
  • Boot failures and loss of engineering workstation availability.
  • Operational disruption in automotive, energy, manufacturing, water treatment, and utilities.
  • No persistence or C2 features – purely destructive.

Mitigation & Patch Status

  • GENESIS v11.01+ – patched, available via Iconics Community Resource Center.
  • GENESIS64 – fix under development.
  • MC Works64 – no patch planned; customers must implement mitigations.
  • Recommended Actions:
    • Apply latest patches immediately.
    • Restrict local access to SCADA workstations.
    • Audit file permissions in C:\ProgramData\ICONICS.
    • Monitor for symbolic link abuse and driver corruption attempts.
    • Harden configurations to prevent writable log files.

Takeaway

CVE-2025-0921 highlights how privilege mismanagement in SCADA systems can lead to critical DoS conditions. While not the highest severity, the vulnerability poses significant risk to availability in industrial environments, especially when chained with other flaws. Organizations must patch promptly, restrict access, and monitor configurations to safeguard against operational disruption.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.