Iconics Suite SCADA Vulnerability Enables Denial-of-Service Through Privileged File Operations

Source: Unit 42

Unit 42 researchers have disclosed CVE-2025-0921, a medium-severity vulnerability in the Iconics Suite SCADA system that could allow attackers to trigger denial-of-service (DoS) conditions on critical industrial control systems. The vulnerability affects Microsoft Windows versions 10.97.2 and earlier of this widely-deployed supervisory control and data acquisition platform used across automotive, energy, and manufacturing industries.

How the Attack Works

The vulnerability stems from privileged file system operations that attackers can exploit through a multi-step attack chain:

1. Configuration File Manipulation: An attacker with non-administrative access identifies the SMSLogFile path stored in the IcoSetup64.ini configuration file
2. Symbolic Link Creation: Using symbolic links, the attacker redirects log file writes to target critical system binaries like the cng.sys driver
3. Trigger the Payload: When an administrator sends an SMS test message or AlarmWorX64 MMX triggers an alert, logging data overwrites the target binary
4. System Crash: Upon reboot, the corrupted driver causes the operating system to fail, leaving the system in an endless repair loop

Critical Impact for OT Environments

The cng.sys driver targeted in Unit 42’s proof-of-concept provides cryptographic services through Microsoft’s Cryptography API: Next Generation (CNG). Corrupting this driver renders Windows unbootable—a catastrophic outcome for operational technology environments where system availability directly impacts industrial processes.

When combined with a previously disclosed vulnerability (CVE-2024-7587) in GenBroker32’s installer that grants excessive file permissions, even unprivileged users can execute this attack chain.

Mitigation

The Iconics security team has released an advisory with remediation measures. Organizations running Iconics Suite should:

• Apply the vendor’s recommended workarounds immediately
• Audit file permissions on the C:\ProgramData\ICONICS directory
• Monitor for unauthorized symbolic link creation in OT environments
• Implement network segmentation to limit local access to SCADA systems

This vulnerability highlights the persistent risks of privileged file operations in industrial control systems. OT security teams should treat any SCADA component with elevated privileges as a potential attack vector.