Vulnerabilities in industrial control software used by water, energy, and manufacturing sectors could let hackers steal database passwords
CISA's ICS-CERT division disclosed two critical vulnerabilities in Mitsubishi Electric GENESIS64 and ICONICS Suite products that could expose SQL database credentials to attackers. The flaws, rated 8.8 on the CVSS scale, affect software widely used across water treatment, energy, and manufacturing facilities to monitor and control industrial processes.
An advisory released April 8, 2026 details how CVE-2025-14815 and CVE-2025-14816 could allow unauthenticated actors to harvest credentials from vulnerable installations. The vulnerability disclosure comes amid heightened concern over nation-state threats to operational technology, following a separate joint advisory warning of Iranian APT actors targeting Rockwell programmable logic controllers.
Facility operators using GENESIS64 version 10.97.201 or earlier, and ICONICS Suite versions prior to 2022 R2, should apply available patches immediately. Critical infrastructure operators in water, power, and manufacturing sectors face the greatest risk from credential theft that could enable broader network compromise.
Sources
CISA Warns: Critical ICS Flaws Expose SQL Credentials
More from Data Privacy & Cybersecurity Browse all →
Adobe Acrobat Zero-Day Under Active Exploitation, Three Agencies Warn
April 18, 2026
Russian APT28 Hijacks Routers to Steal Government Passwords
April 12, 2026
Six Agencies Warn of Iranian Hackers Targeting US Industrial Controls
April 11, 2026
CISA Warns of Actively Exploited Fortinet Vulnerability Affecting Enterprises
April 10, 2026
Get the briefing in your inbox
The top regulatory stories, delivered daily. No noise.
Free. Unsubscribe anytime.