Multiple critical vulnerabilities in ICONICS SCADA systems were uncovered recently by the researchers from Palo Alto Networks’ Unit 42, widely deployed across government, military, manufacturing, and utility sectors.
The security flaws, discovered in ICONICS Suite versions 10.97.2 and 10.97.3 for Windows platforms, could enable attackers to escalate privileges, trigger denial-of-service conditions, and potentially achieve full system compromise if left unpatched.
The vulnerabilities affect the ICONICS Genesis64 suite, which establishes connectivity with operational technology (OT) device protocols including BACnet and Modbus, while facilitating communication with OPC servers.
.png
)
Dozens of vulnerable ICONICS servers remain accessible from the internet, creating significant exposure to potential attacks.
Among the discovered vulnerabilities is CVE-2024-7587, an incorrect default permissions vulnerability in GenBroker32.
When users install the GenBroker32 utility, it triggers permission changes in critical directories containing key binaries and configuration files for the ICONICS Suite.
These changes result in overly permissive settings that grant system-wide user access to sensitive directories.
.webp)
Researchers at Plao Alto Networks shown how the installation modifies the access control list for C:\ProgramData\ICONICS, where every logged user on the system is granted full access rights to critical configuration files, potentially allowing attackers to hijack system components.
Another serious vulnerability, CVE-2024-1182, enables DLL hijacking in the MMCFG component.
When a user initiates an ANSI modem, it starts the Memory Master configuration tool (MMCfg.exe). During execution, this tool attempts to load a file named REVERB1.dll without proper path specification.
.webp)
As Windows searches for this DLL in the current working directory, attackers can place a malicious DLL to achieve arbitrary code execution.
Additional DLL Hijacking Vulnerabilities
The researchers identified further phantom DLL hijacking vulnerabilities (CVE-2024-8299, CVE-2024-8300, CVE-2024-9852) affecting critical components like MelSim2ComProc.exe and MMXCall_in.exe.
.webp)
These processes are integrated within the AlarmWorX64 MMX component that requires administrator privileges.
When AlarmWorX64 MMX invokes these applications, they inherit administrator privileges, making them valuable targets for attackers.
For example, MelSim2ComProc.exe looks for Sim2ComProc.dll in the Communication directory.
.webp)
If the DLL isn’t found in system directories, the application searches the current working directory, allowing attackers to place malicious DLLs for execution with elevated privileges.
ICONICS has released security patches to address these vulnerabilities. Palo Alto Networks customers are protected through various security products including Industrial OT Security, Cortex XDR, XSIAM, and Cortex Xpanse.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
