A newly disclosed flaw in Mitsubishi Electric’s Iconics Suite SCADA platform, tracked as CVE-2025-0921, exposes critical industrial environments to denial-of-service attacks by abusing privileged file system operations in Windows-based engineering workstations. Rated with a CVSS score of 6.5, the vulnerability affects GENESIS64 deployments on Microsoft Windows versions 10.97.2 and earlier and could be combined with other weaknesses to corrupt essential system binaries and halt operations.
Researchers from Unit 42 discovered CVE-2025-0921 during an assessment of Iconics Suite, following an earlier set of five vulnerabilities they reported in versions 10.97.3 and below that enabled privilege escalation and system disruption. The latest bug resides in the way multiple Iconics services perform file system operations with elevated privileges, creating an opportunity for attackers with local, non‑admin access to direct these operations toward sensitive files. In industrial sectors such as automotive, energy and manufacturing, where Iconics SCADA is used to monitor and control processes, such misuse could severely impact system integrity and availability.
The core issue is a privileged file system operations vulnerability centered on the Pager Agent component of AlarmWorX64 MMX, which handles custom alerting via SMS and other pager protocols. Administrators configure SMS alerts using the PagerCfg.exe utility, including the path for an SMSLogFile where every SMS operation is logged. Under normal circumstances, the configuration file storing this path, IcoSetup64.ini in C:\ProgramData\ICONICS, should not be writable by standard users; however, when the legacy GenBroker32 component is installed, a previously documented flaw, CVE-2024-7587, grants any user full read-write access to this directory.
Unit 42 showed how an attacker could chain CVE-2025-0921 with CVE-2024-7587 to achieve a reliable denial-of-service condition on Windows. A local attacker first inspects IcoSetup64.ini to learn the SMSLogFile path, then creates a symbolic link from that log file to a critical binary, such as the cng.sys driver used by Microsoft’s Cryptography API: Next Generation. When an administrator later sends a test SMS or an alert fires automatically, the Pager Agent writes log data through the symbolic link into C:\Windows\System32\cng.sys, corrupting the driver so that the operating system fails to boot and becomes stuck in repair mode on reboot.
Even without the GenBroker32 installer misconfiguration, the researchers warn that CVE-2025-0921 remains dangerous if an attacker can make the log file path writable through other errors, alternative bugs or social engineering that changes permissions. They stress that privileged file system behaviors in OT environments are often underestimated, despite their potential to cause total system outages. Mitsubishi Electric has released an advisory and workarounds that address this and the previously reported issues, while Palo Alto Networks recommends hardening OT engineering workstations, segmenting SCADA systems with next-generation firewalls and leveraging OT security tools to detect and limit exploitation attempts.