Critical Vulnerability Discovered in Iconics SCADA Software
CVE-2025-0921 exposes serious risks for users of the Iconics Suite, a widely used SCADA system. The vulnerability can lead to denial-of-service (DoS) attacks by exploiting privileged file system operations.
Palo Alto Networks recently identified CVE-2025-0921, a medium-severity vulnerability in Iconics Suite versions 10.97.2 and earlier. This vulnerability allows attackers to misuse file operations to corrupt critical binaries, compromising system integrity and availability. If misused, an attacker with non-administrative access can exploit this weakness to create a DoS condition on the affected system. The attack relies on a previous vulnerability, CVE-2024-7587, which grants excessive file permissions that allow unprivileged users to modify crucial configuration files. Specifically, the Pager Agent component of the AlarmWorX64 MMX feature set is targeted in this exploit.
To execute the attack, an attacker identifies the path for the SMS log file defined in a configuration file, creates a symbolic link to a critical system binary (e.g., cng.sys), and waits for system activity that triggers a log-write. This redirection causes the log file to overwrite the binary, rendering the system inoperable upon reboot. The exploit illustrates how seemingly low-risk vulnerabilities can lead to significant operational disruptions, particularly in critical industrial environments.
Understanding these vulnerabilities is crucial for defenders. The risk of exploitation highlights the urgent need for enhanced security measures in SCADA systems, where operational impacts can be severe. It serves as a reminder that unaddressed privilege escalation vulnerabilities can lead to serious consequences in operational technology environments.
Regular monitoring, robust access controls, and threat intelligence can aid in identifying and mitigating such vulnerabilities quickly. Deploying solutions like Palo Alto Networks OT Device Security can provide visibility and strengthen defenses around SCADA applications like Iconics Suite, reducing overall risk exposure.
Indicators of Compromise (IOCs):
- CVE-2025-0921: Execution with unnecessary privileges in Mitsubishi Electric Iconics Digital Solutions GENESIS64
- CVE-2024-7587: Affects GenBroker32 installer allowing excessive permissions.
