Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Medium

Arbitrary File Overwrite via Symlink in Mitsubishi Electric ICONICS/GENESIS Services

IdentifiersCVE-2025-0921CWE-269

CVE-2025-0921 is an execution-with-unnecessary-privileges vulnerability affecting multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products, including GENESIS64, ICONICS Suite, MobileHMI, Hyper Historian, AnalytiX, IoTWorX, GENESIS32, BizViz, MC Works64, and GENESIS 11.00. The issue arises because privileged services perform file writes to attacker-influenced destinations without sufficient safeguards against symbolic-link redirection. According to the provided content, the vulnerable behavior is associated with the AlarmWorX64 MMX Pager Agent workflow, where the SMSLogFile path is stored in C:\ProgramData\ICONICS\IcoSetup64.ini and later used as a write destination by a privileged component such as PagerCfg.exe. A local authenticated attacker can create a symbolic link from the expected log file path to an arbitrary target file, causing the privileged service to overwrite or corrupt that target when logging occurs. The content specifically cites corruption of critical Windows files such as cng.sys as a practical exploitation example. The primary consequence described is destruction or corruption of files required for normal system operation, leading to denial of service on the affected Windows host.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows a local authenticated attacker to abuse privileged file writes to overwrite arbitrary files accessible through symlink redirection. In the documented scenario, this can corrupt critical Windows components such as cng.sys, causing boot failure, repeated repair loops, and loss of availability of the affected workstation or server. The impact described in the provided material is primarily denial of service and integrity compromise on the local PC hosting the affected software. The content does not provide verified evidence of direct code execution from this CVE alone.

Mitigation

If you can’t patch tonight, do this now.

Until patches are applied, restrict local write access to configuration files and log destinations used by the affected services, especially C:\ProgramData\ICONICS and files such as IcoSetup64.ini. Prevent unprivileged users from modifying SMSLogFile or related Pager Agent configuration. Harden the host against symlink and mount-point abuse, monitor for unexpected symbolic links targeting service log paths, and restrict local interactive access to trusted administrators only. The provided content also indicates exploitation is easier when chained with CVE-2024-7587, so mitigating excessive permissions on C:\ProgramData\ICONICS is particularly important.

Remediation

Patch, then assume compromise.

Apply vendor-provided fixes where available. The provided content states Mitsubishi Electric released patches for GENESIS version 11.01 and later, and that fixes for some affected product lines were under development at the time of reporting. For unsupported or unpatched products such as MC Works64, follow the vendor advisory and workaround guidance. Upgrade affected installations away from vulnerable versions where possible, and remove or replace legacy deployments that will not receive fixes.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
ICONICSAnalytixapplication
ICONICSBizvizapplication
ICONICSGenesisapplication
ICONICSGenesis32application
ICONICSGenesis64application
ICONICSHyper Historianapplication
ICONICSIconics Suiteapplication
ICONICSIotworxapplication
ICONICSMobilehmiapplication
Mitsubishi Electric CorporationGenesis64application
Mitsubishi Electric CorporationMc Works64application
Mitsubishi Electric CorporationMc Works64application
Mitsubishi Electric Iconics Digital SolutionsGenesis64application

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

15 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

15 SOURCESView more in app
the hacker newsNews
Feb 2, 2026
⚡ Weekly Recap: Proxy Botnet, Office Zero-Day, MongoDB Ransoms, AI Hijacks & New Threats

Unknown (listed as a trending CVE affecting Iconics Suite; no technical details provided in the content).

Read more
cyber security newsNews
Jan 31, 2026
SCADA Vulnerability Triggers DoS, Potentially Disrupting Industrial Operations

An execution-with-unnecessary-privileges flaw in multiple services/components of Mitsubishi Electric Iconics Digital Solutions GENESIS64/Iconics Suite that can be abused by a local attacker to overwrite critical system binaries (via symlinked log file writes), leading to denial-of-service (e.g., Windows boot failure/repair loop) and potential privilege misuse.

Read more
palo alto networks unit 42 blogNews
Jan 30, 2026
Privileged File System Vulnerability Present in a SCADA System

A medium-severity privileged file system operations / unnecessary-privileges issue in multiple services/components of Mitsubishi Electric Iconics Digital Solutions GENESIS64 (Iconics Suite) that can be abused (e.g., via log file path manipulation and symlink redirection) to overwrite/corrupt critical system binaries, leading to loss of integrity/availability and potential denial of service (including unbootable Windows).

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity11

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-0921
NVD
nvd.nist.gov/vuln/detail/CVE-2025-0921
MITRE CWE · CWE-269
cwe.mitre.org
jvn.jp
jvn.jp/vu/JVNVU93838985
cisa.gov
cisa.gov/news-events/ics-advisories/icsa-25-140-04
mitsubishielectric.com
mitsubishielectric.com/psirt/vulnerability/pdf/2025-002_en.pdf