CVE-2020-12013

high-risk

Published 2020-07-16

A specially crafted WCF client that interfaces to the may allow the execution of certain arbitrary SQL commands remotely. This affects: Mitsubishi Electric MC Works64 Version 4.02C (10.95.208.31) and earlier, all versions; Mitsubishi Electric MC Works32 Version 3.00A (9.50.255.02); ICONICS GenBroker64, Platform Services, Workbench, FrameWorX Server v10.96 and prior; ICONICS GenBroker32 v9.5 and prior.

Do I need to act?

0.91% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 9.1/10 Critical

NETWORK / LOW complexity

Affected Products (11)

Mc Works32

Mc Works64

Energy Analytix

Facility Analytix

Genesis64

Hyper Historian

Mobilehmi

Quality Analytix

Smart Energy Analytix

Bizviz

Genesis32

Affected Vendors

Iconics Mitsubishielectric

References (4)

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-20-170-02

Third Party Advisory https://us-cert.cisa.gov/ics/advisories/icsa-20-170-03

/ 100

high-risk

Severity 31/34 · Critical

Exploitability 3/34 · Minimal

Exposure 16/34 · Moderate