Industrial Key Leak: Critical 9.3 CVSS Flaws Expose Mitsubishi’s GENESIS64 and ICONICS Suite

A new advisory from Mitsubishi Electric Corporation, released on April 7, 2026, has disclosed that multiple information disclosure, tampering, and Denial-of-Service (DoS) vulnerabilities exist in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, MC Works64, and GENESIS.

The flaws strike at the heart of how these systems manage data and authenticate with backend databases, potentially leaving the door open for sophisticated actors to disrupt vital operations.

The most alarming aspect of the advisory centers on how sensitive credentials are handled. The first major flaw, CVE-2025-14815 (CVSS 9.3), involves the local cache (SQLite) feature of the affected products. When this feature is enabled and the system utilizes standard SQL authentication, “an attacker may be able to disclose SQL Server credentials stored on the PC where the product is installed”.

The second vulnerability, CVE-2025-14816 (CVSS 9.3), further complicates the security posture by allowing an attacker to disclose SQL Server credentials directly from the software’s user interface. Together, these vulnerabilities create a significant risk profile.

Mitsubishi warns that “the attacker could access the SQL Server illegally to disclose data, tamper with or destroy data, and cause a denial-of-service (DoS) condition on the system”. For a manufacturing plant or a utility provider, this could translate to altered production parameters, corrupted history logs, or a complete system shutdown.

Mitsubishi Electric has not yet provided a “one-click” patch for these specific issues, instead directing administrators to implement a series of robust manual countermeasures to harden their environments.

1. Disabling the Local Cache

The primary defense against CVE-2025-14815 involves reconfiguring the Workbench settings.

• Action: Uncheck the “Local Cache” column for all applications in the “Configure Application(s) Settings” dialog.
• Cleanup: Administrators must manually delete existing cache files, such as .sdf files in the C:\ProgramData\ICONICS\Cache directory or .sqlite3 files for GENESIS users.

2. Restricting Executables

To mitigate further risks, Mitsubishi recommends changing the permissions of HHSplitter.exe.

• Strict Access: Ensure that only trusted administrators can execute the file, or delete it entirely if it is not required for your specific deployment.

3. Network and Physical Hygiene

The advisory also reinforces standard “defense-in-depth” practices to prevent the initial access required to exploit these local flaws:

• Access Control: Block remote login from untrusted networks and restrict it only to administrators when internet access is absolutely required.
• Perimeter Defense: Utilize firewalls and Virtual Private Networks (VPNs) to shield affected products from the public internet.
• Physical Security: Restrict physical access to any PC running the affected software to prevent local tampering.