CVE-2025-11774 is an OS command injection vulnerability classified under CWE-78 affecting Mitsubishi Electric Corporation's GENESIS64 software suite, including versions 10.97.2 CFR3 and earlier. The vulnerability resides in the keypad function, which allows users to input commands via a software keyboard interface. Due to improper neutralization of special characters in the configuration file that controls this function, a local attacker with limited privileges can manipulate this file to execute arbitrary executable files (EXEs) on the host system. This execution occurs when a legitimate user interacts with the keypad function, effectively leveraging user interaction to trigger the malicious payload. The vulnerability impacts several Mitsubishi Electric products: GENESIS64, Iconics Digital Solutions GENESIS64, ICONICS Suite, MobileHMI, and MC Works64, all prior to or including version 10.97.2 CFR3. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and low privileges (PR:L), but user interaction (UI:R) is necessary. The scope is changed (S:C), meaning the vulnerability can affect resources beyond the initially compromised component. The impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H), allowing attackers to disclose sensitive information, tamper with or destroy data, or cause denial-of-service conditions. Although no known exploits are currently in the wild, the vulnerability poses a significant risk to systems running these Mitsubishi Electric products, especially in industrial and critical infrastructure environments where GENESIS64 is commonly deployed. The vulnerability was reserved in mid-October 2025 and published in December 2025, with no patches currently linked, indicating a need for immediate attention from affected users.

For European organizations, the impact of CVE-2025-11774 is substantial, particularly for those in industrial automation, manufacturing, energy, and building management sectors where Mitsubishi Electric's GENESIS64 and related software are widely used. Successful exploitation can lead to unauthorized execution of arbitrary code, resulting in data breaches, manipulation or destruction of critical operational data, and disruption of control systems. This can cause operational downtime, safety hazards, and financial losses. The requirement for local access and user interaction somewhat limits remote exploitation but does not eliminate risk, as insider threats or compromised user accounts could trigger the attack. The high confidentiality impact threatens sensitive industrial process data, while integrity and availability impacts could disrupt production lines or critical infrastructure services. Given the interconnected nature of industrial control systems in Europe, a single compromised node could propagate effects across supply chains or critical services. The lack of known public exploits provides a window for mitigation but also underscores the urgency to address the vulnerability before attackers develop weaponized code.

1. Immediately restrict local access to systems running affected Mitsubishi Electric products, ensuring only trusted personnel have login privileges. 2. Implement strict file integrity monitoring and access controls on the keypad function configuration files to detect and prevent unauthorized modifications. 3. Educate users about the risk of interacting with the keypad function and enforce policies to minimize unnecessary use or exposure. 4. Apply principle of least privilege to user accounts to reduce the risk of privilege escalation via this vulnerability. 5. Monitor system logs and behavior for unusual execution of EXE files triggered by keypad interactions. 6. Coordinate with Mitsubishi Electric for timely patches or updates; if unavailable, consider temporary workarounds such as disabling the keypad function or isolating affected systems from critical networks. 7. Conduct regular security audits and penetration tests focusing on local privilege escalation and configuration file tampering vectors. 8. Employ endpoint detection and response (EDR) tools capable of identifying anomalous command execution patterns related to this vulnerability.