Mitsubishi Electric reports vulnerabilities in Factory Automation
Take action: If you are using Mitsubishi Electric products including EZSocket, FR Configurator2, GT Designer3, GX and MT Works, MELSOFT Navigator or MX make sure they are isolated from internet and used only from trusted individuals and networks. And keep updated on patches from the vendor.
Learn More
Mitsubishi Electric, a Japanese electronics and electrical equipment manufacturer, disclosed the discovery of two significant vulnerabilities within its range of factory automation (FA) products:
- CVE-2023-6942 (CVSS score 7.5), is an authentication bypass vulnerability that allows a remote attacker without authentication to bypass security measures by sending specially crafted packets, thereby gaining unauthorized access to the products.
- CVE-2023-6943 (CVSS score 9.8), is a remote code execution flaw that enables attackers to execute malicious code by remotely calling a function with a path to a malicious library, once connected to the products.
These vulnerabilities could lead to unauthorized disclosure, alteration, or deletion of information, or even a denial-of-service (DoS) condition on the affected products.
The products affected by these vulnerabilities are :
- EZSocket,
- FR Configurator2,
- GT Designer3,
- GX and MT Works,
- MELSOFT Navigator,
- MX.
At the time of the advisory, Mitsubishi Electric had not yet released patches for these vulnerabilities. The company has advised users of the impacted products to implement general cybersecurity measures to mitigate the risk of exploitation - limiting both physical and network access to these systems to trusted networks and individuals.
It remains uncertain if any systems are directly accessible on the internet. The proprietary nature of the network protocol used by the affected products means that search engines like Shodan currently do not track the exposed service.
