CVE-2025-0921 is a vulnerability classified under CWE-250 (Execution with Unnecessary Privileges) affecting multiple Mitsubishi Electric Corporation products, including GENESIS64 (all versions), GENESIS version 11.00, and MC Works64 (all versions). The vulnerability arises because certain services within these products execute with elevated privileges unnecessarily and allow a local authenticated attacker to exploit symbolic link (symlink) creation. Specifically, the attacker can create a symlink from a file that the vulnerable service writes to, redirecting the write operation to an arbitrary target file. This unauthorized write capability can lead to the destruction or corruption of critical files on the affected PC. Since these files may be essential for the proper operation of the system or the industrial control software, their destruction can cause a denial-of-service (DoS) condition, disrupting operations on the affected machine. The vulnerability requires local authentication, meaning the attacker must have some level of access to the system, but does not require user interaction beyond that. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the local attack vector, low complexity, low privileges required, no user interaction, and a scope change due to impact on integrity but no confidentiality or availability impact. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating that mitigation may currently rely on compensating controls or vendor updates once available.

For European organizations, particularly those in industrial sectors such as manufacturing, energy, utilities, and critical infrastructure that rely on Mitsubishi Electric's GENESIS64 and related SCADA/HMI software, this vulnerability poses a significant operational risk. The ability for a local attacker to corrupt or destroy critical files can lead to system downtime, loss of control over industrial processes, and potential safety hazards. Disruption of industrial control systems can have cascading effects, including production halts, financial losses, and regulatory compliance issues under frameworks like NIS2 and GDPR if operational disruptions affect personal data processing or critical services. The requirement for local authentication limits remote exploitation but does not eliminate risk, as insider threats or attackers who gain initial footholds via other means could leverage this vulnerability to escalate damage. The integrity impact is high, as unauthorized file writes can alter system behavior or disable critical functions. Although availability impact is not directly indicated, the resulting DoS condition can effectively cause operational unavailability. Confidentiality impact is not significant in this case. Overall, European organizations using these Mitsubishi Electric products should consider this vulnerability a medium to high operational risk due to its potential to disrupt critical industrial processes.

1. Restrict local access: Limit the number of users with local authenticated access to systems running GENESIS64 and related products. Implement strict access controls and monitoring to detect unauthorized local logins. 2. Apply principle of least privilege: Ensure that services and users operate with the minimum necessary privileges. Review and harden service account permissions to prevent unnecessary write capabilities. 3. Monitor for symlink creation: Deploy file integrity monitoring and endpoint detection tools capable of identifying suspicious symbolic link creation or manipulation in directories used by GENESIS64 services. 4. Network segmentation: Isolate industrial control systems from general IT networks to reduce the risk of attackers gaining local access. 5. Vendor updates: Stay in close contact with Mitsubishi Electric for patches or updates addressing CVE-2025-0921 and apply them promptly once available. 6. Incident response readiness: Prepare to respond to potential DoS conditions caused by file corruption, including backup and recovery plans for critical files and systems. 7. Audit and logging: Enable detailed logging of file operations and service activities to facilitate forensic analysis if exploitation is suspected. These measures go beyond generic advice by focusing on controlling local access, monitoring specific attack vectors (symlink abuse), and preparing operational continuity plans tailored to industrial control environments.