This vulnerability arises from storing SQL Server credentials in plain text within a local SQLite cache file used by multiple Mitsubishi Electric control system products. A local attacker with file system access can read those credentials, authenticate to the SQL Server, and then read, modify, or delete data hosted there. The information exposure can also be leveraged to cause a denial‑of‑service condition by corrupting or deleting critical configuration data. The weakness corresponds to cleartext storage of sensitive information (CWE‑312).

The affected products include Mitsubishi Electric Corporation and Iconics Digital Solutions releases such as GENESIS, GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, and MC Works64. Vulnerabilities exist in versions 10.97.3 and earlier for GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, and AnalytiX; versions 11.02 and earlier for GENESIS; and all versions of MC Works64 where local SQLite caching is enabled. Any installation running these versions with SQL authentication and local caching presents the risk.

The CVSS score of 9.3 indicates a high‑severity flaw suitable for exploitation by a local attacker. EPSS information is unavailable, but the vulnerability is not currently listed in the CISA KEV catalog, suggesting no widespread exploitation reports yet. Exploitation requires local access to the file system where the SQLite cache resides; it can be carried out by reading the sensitive file, which is typically accessible to users with sufficient privileges. Consequently, the risk is significant for systems with exposed local storage, and the impact can cascade from credential theft to full data compromise or denial of service.