Privileged File System Vulnerability Present in a SCADA Syst... #1835
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Collaborator
Author
🔗 Additional ContextOriginal Blog Post: https://unit42.paloaltonetworks.com/iconics-suite-cve-2025-0921/ Content Categories: Based on the analysis, this content was categorized under "Windows Local Privilege Escalation -> Arbitrary File Write/Overwrite to SYSTEM (or a subsection on Windows symlink/reparse point/Object Manager link abuse for privileged file operations)". Repository Maintenance:
Review Notes:
Bot Version: HackTricks News Bot v1.0 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
🤖 Automated Content Update
This PR was automatically generated by the HackTricks News Bot based on a technical blog post.
📝 Source Information
🎯 Content Summary
Post title: Privileged File System Vulnerability Present in a SCADA System (Unit 42, published January 30, 2026)
What the post is about
Unit 42 analyzes CVE-2025-0921 (CVSS 6.5 Medium) in Mitsubishi Electric Iconics Digital Solutions GENESIS64 / Iconics Suite (SCADA) for Microsoft Windows versions 10.97.2 and earlier. The bug is categorized as execution with unnecessary privileges across multiple services and is demonstrated via a ...
🔧 Technical Details
When a privileged Windows process writes to a path influenced by a low-privilege user (e.g., a configurable log destination stored in a writable config file like
C:\ProgramData...*.ini), the attacker can convert that write into an arbitrary file overwrite by redirecting the destination using Windows filesystem/object-manager primitives (e.g., Object Manager symbolic links combined with NTFS mount points to create file symlinks without admin). Triggering normal program behavior (such as writing an SMS log during an alert) causes the privileged process to overwrite an attacker-chosen protected target. A reliable DoS variant is redirecting the write into a boot-critical driver path (e.g., placing/corruptingC:\Windows\System32\cng.sysso Windows attempts to load it on boot), resulting in a boot failure/repair loop. Verification can be done by inspecting the overwritten file contents (e.g., with CFF Explorer) to confirm it now contains log text rather than a val...🤖 Agent Actions
Updated windows-hardening/windows-local-privilege-escalation/README.md by restoring the full page and adding a new section detailing abuse of privileged log/backup paths via Object Manager symlinks and NTFS mount points to convert privileged writes into arbitrary file overwrites/boot DoS (including
CreateMountPoint/CreateSymlinksteps andcng.syscorruption flow). Expanded references with the Unit 42 SCADA blog, CreateSymlink tooling docs, and Forshaw’s symlink research.This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.