CVE-2022-23128
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to bypass authentication in multiple Mitsubishi Electric and ICONICS industrial software products by sending specially crafted WebSocket packets to the FrameWorX server. Affected products include MC Works64, GENESIS64, Hyper Historian, AnalytiX, and MobileHMI. This affects all organizations using these industrial control system (ICS) software products.
💻 Affected Systems
- Mitsubishi Electric MC Works64
- ICONICS GENESIS64
- ICONICS Hyper Historian
- ICONICS AnalytiX
- ICONICS MobileHMI
📦 What is this software?
Analytix by Iconics
Genesis64 by Iconics
Mc Works64 by Mitsubishielectric
Mobilehmi by Iconics
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems, allowing attackers to manipulate critical infrastructure operations, cause physical damage, disrupt essential services, or exfiltrate sensitive industrial data.
Likely Case
Unauthorized access to SCADA/HMI systems enabling industrial espionage, data theft, operational disruption, or planting backdoors for future attacks.
If Mitigated
Limited impact if systems are properly segmented, monitored, and have additional authentication layers, though authentication bypass remains a serious concern.
🎯 Exploit Status
Exploitation requires sending specially crafted WebSocket packets to the FrameWorX server. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: MC Works64: 4.04E (10.95.210.01) or later; ICONICS products: 10.97.1 or later
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf
Restart Required: Yes
Instructions:
1. Download the latest version from the vendor website. 2. Backup current configuration and data. 3. Install the update following vendor instructions. 4. Restart the system. 5. Verify the update was successful.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected systems from untrusted networks and restrict access to FrameWorX server ports.
Firewall Rules
allBlock WebSocket traffic (typically port 80/443) to FrameWorX server from untrusted sources.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems
- Deploy additional authentication mechanisms and monitor for unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check product version against affected ranges. Monitor for unexpected WebSocket connections to FrameWorX server.Check Version:
Check version in product about dialog or configuration files (specific commands vary by product)Verify Fix Applied:
Verify installed version is patched (MC Works64 ≥4.04E, ICONICS ≥10.97.1). Test authentication bypass attempts should fail.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts followed by successful access
- Unexpected WebSocket connections to FrameWorX server
- Authentication logs showing bypass patterns
Network Indicators:
- WebSocket traffic to FrameWorX server from unexpected sources
- Authentication bypass patterns in network traffic
SIEM Query:
source_ip=* AND dest_port IN (80,443) AND protocol="websocket" AND dest_host="frameworx_server" AND event_type="authentication_bypass"🔗 References
- https://jvn.jp/vu/JVNVU95403720/index.html
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf
- https://jvn.jp/vu/JVNVU95403720/index.html
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-020-01
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-026_en.pdf
