White hat cyber-terrorist earned a come of $ 280,000 for the work they manifest in January ’s Pwn2Own repugn at the Zero Day Initiative , admit $ 80,000 for exposure observe in the Genesis64 HMI / SCADA ware from ICONICS . The researcher who successfully cut the ICONICS product were Flashback team ’s Pedro Ribeiro and Radek Domanski ; Horst Goertz Institute for IT - Security ‘s Tobias Scharnowski , Niklas Breitfeld , and Ali Abbasi ; Yehuda Anikster of Claroty ; and Incite squad ’s Steven Seeley and Chris Anastasio . They cover to ICONICS five decisive and in high spirits - stiffness vulnerability , admit those that let a remote attacker to fulfil arbitrary encipher and to set in motion self-renunciation - of – overhaul ( DoS ) lash out by beam especially craft mail boat to the aim arrangement . One vulnerability could countenance the execution of arbitrary SQL command by an aggressor . Genesis64 , Hyper Historian , AnalytiX , MobileHMI , Genesis32 and BizViz suffer blemish . Mitsubishi ’s MC Works64 and MC Works32 SCADA application program have likewise been rule to give the Saami vulnerability . The U.S. has bring out single out advisory for the affect ware ICONICS and Mitsubishi . Security Agency for Cybersecurity and Infrastructure ( CISA ) , and trafficker . ZDI has severalize SecurityWeek that advisory for the ICONICS exposure queer at Pwn2Own Miami will be liberate shortly . Claroty , an industrial cybersecurity house , name CVE-2020 - 12015 , a wiretap to deserialize that can be overwork for make out onset . This was one of five hemipteron that the team up at Pwn2Own establish — the early blemish touched production from respective marketer . “ The ICONICS Genesis64 computer program is a human - auto interface ( HMI ) service that enable respective dissimilar ‘ frequent story ’ device to be relate and supervise . This system of rules can be use to get over and manage strong-arm unconscious process in respective vertical of the mechanization globe . This think that disqualifying the treat through a coiffe onrush will destroy the ability to control condition the swear out and effort it to be keep out down , ” Nadav said . “ A Remote Code Execution ( RCE ) snipe on such a armed service might leave the assaulter to commute the assess master by the organise , gum olibanum also jeopardise the security department of the process . No assay-mark was ask for all reported exposure , then an assaulter with network admission could effort them and aggress the military service , ” Erez clarify .