CVE-2022-33320

Name of the Vulnerable Software and Affected Versions ICONICS GENESIS64 versions 10.97.1 and prior Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior

Description The issue allows an unauthenticated attacker to execute arbitrary malicious code by leading a user to load a project configuration file that includes malicious XML codes. This is due to a Deserialization of Untrusted Data vulnerability.

Recommendations For ICONICS GENESIS64 versions 10.97.1 and prior, consider disabling the loading of project configuration files from untrusted sources until a patch is available. For Mitsubishi Electric MC Works64 versions 4.04E (10.95.210.01) and prior, restrict access to the project configuration file loading functionality to minimize the risk of exploitation. As a temporary workaround, avoid using the project configuration file feature in the affected software until the issue is resolved.