Description
Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
Published: 2026-04-08
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential exposure allowing unauthorized SQL Server access with potential data tampering and denial‑of‑service
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is caused by cleartext storage and display of SQL Server credentials in the Hyper Historian Splitter feature. When SQL authentication is used, a local attacker can view these credentials in the application’s GUI. With the credentials, the attacker can log into the SQL Server and potentially read, modify, or delete data, and may trigger a denial‑of‑service incident. The weakness aligns with CWE‑317, which describes insecure storage of sensitive information.

Affected Systems

The flaw affects Mitsubishi Electric products that include the Hyper Historian Splitter UI. Affected versions are GENESIS64 up to and including 10.97.3, GENESIS up to 11.02, ICONICS Suite up to 10.97.3, MobileHMI up to 10.97.3, Hyper Historian up to 10.97.3, AnalytiX up to 10.97.3, and MC Works64 in all released versions. The same range applies to the Iconics Digital Solutions line (GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, and GENESIS).

Risk and Exploitability

The advisory rates the vulnerability with a CVSS score of 9.3, indicating high severity. The EPSS score is not available, but the lack of a KEV listing does not reduce the threat. Because the attacker must be local, the attack vector is physical or local system access. However, the high severity reflects the potential to compromise SQL Server credentials and thereby obtain full control over critical data, leading to espionage, tampering, or downtime.

Generated by OpenCVE AI on April 8, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Visit Mitsubishi Electric’s PSIRT page and download the patch for your product version
  • Apply the vendor patch to all impacted systems
  • Verify the installed version is greater than the vulnerable releases
  • Disable SQL Server authentication or enforce encrypted credential storage if a patch is unavailable as a temporary measure
  • Restrict local machine access to authorized personnel only to reduce risk of local account exploitation

Generated by OpenCVE AI on April 8, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Mitsubishielectric
Mitsubishielectric analytix
Mitsubishielectric genesis
Mitsubishielectric genesis64
Mitsubishielectric hyper Historian
Mitsubishielectric iconics Suite
Mitsubishielectric mc Works64
Mitsubishielectric mobilehmi
Vendors & Products Mitsubishielectric
Mitsubishielectric analytix
Mitsubishielectric genesis
Mitsubishielectric genesis64
Mitsubishielectric hyper Historian
Mitsubishielectric iconics Suite
Mitsubishielectric mc Works64
Mitsubishielectric mobilehmi

Wed, 08 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 08 Apr 2026 13:45:00 +0000

Type Values Removed Values Added
Description Cleartext Storage of Sensitive Information in GUI vulnerability in Mitsubishi Electric GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric AnalytiX versions 10.97.3 and prior, Mitsubishi Electric GENESIS versions 11.02 and prior, Mitsubishi Electric MC Works64 all versions, Mitsubishi Electric Iconics Digital Solutions GENESIS64 versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions ICONICS Suite versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions MobileHMI versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions Hyper Historian versions 10.97.3 and prior, Mitsubishi Electric Iconics Digital Solutions AnalytiX versions 10.97.3 and prior, and Mitsubishi Electric Iconics Digital Solutions GENESIS versions 11.02 and prior allows a local attacker to disclose the SQL Server credentials displayed in plain text in the GUI of the Hyper Historian Splitter feature by exploiting this vulnerability, when SQL authentication is used for the SQL Server authentication. As a result, the unauthorized attacker could access the SQL Server and disclose, tamper with, or destroy data on the server, potentially cause a denial-of-service (DoS) condition on the system.
Title Information Disclosure, Tampering, and Denial-of-Service Vulnerabilities in GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, GENESIS, and MC Works64
Weaknesses CWE-317
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

Mitsubishielectric Analytix Genesis Genesis64 Hyper Historian Iconics Suite Mc Works64 Mobilehmi
cve-icon MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published:

Updated: 2026-04-08T16:04:26.135Z

Reserved: 2025-12-17T02:11:38.277Z

Link: CVE-2025-14816

cve-icon Vulnrichment

Updated: 2026-04-08T16:04:23.571Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-08T14:16:24.887

Modified: 2026-04-08T21:26:13.410

Link: CVE-2025-14816

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-09T08:18:55Z

Weaknesses