Summary
Successful exploitation of this vulnerability could allow a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products.
The following versions of Mitsubishi Electric CNC Series are affected:
- M800VW (BND-2051W000) <=BB
- M800VS (BND-2052W000) <=BB
- M80V (BND-2053W000) <=BB
- M80VW (BND-2054W000) <=BB
- M800W (BND-2005W000) <=FM
- M800S (BND-2006W000) <=FM
- M80 (BND-2007W000) <=FM
- M80W (BND-2008W000) <=FM
- E80 (BND-2009W000) <=FM
- C80 (BND-2036W000) vers:all/*
- M750VW (BND-1015W002) vers:all/*
- M730VW (BND-1015W000) vers:all/*
- M720VW (BND-1015W000) vers:all/*
- M750VS (BND-1012W002) vers:all/*
- M730VS (BND-1012W000-**) vers:all/*
- M720VS (BND-1012W000) vers:all/*
- M70V (BND-1018W000) vers:all/*
- E70 (BND-1022W000) vers:all/*
- NC Trainer2 (BND-1802W000) vers:all/*
- NC Trainer2 plus (BND-1803W000) vers:all/*
| CVSS | Vendor | Equipment | Vulnerabilities |
|---|---|---|---|
| v3 5.9 | Mitsubishi Electric | Mitsubishi Electric CNC Series | Improper Validation of Specified Index, Position, or Offset in Input |
Background
- Critical Infrastructure Sectors: Critical Manufacturing
- Countries/Areas Deployed: Worldwide
- Company Headquarters Location: Japan
Vulnerabilities
CVE-2025-2399
Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) vulnerability in the affected products allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products by sending specially crafted packets to TCP port 683.
Affected Products
Mitsubishi Electric CNC Series
Mitsubishi Electric
Mitsubishi Electric M800VW (BND-2051W000): <=BB, Mitsubishi Electric M800VS (BND-2052W000): <=BB, Mitsubishi Electric M80V (BND-2053W000): <=BB, Mitsubishi Electric M80VW (BND-2054W000): <=BB, Mitsubishi Electric M800W (BND-2005W000): <=FM, Mitsubishi Electric M800S (BND-2006W000): <=FM, Mitsubishi Electric M80 (BND-2007W000): <=FM, Mitsubishi Electric M80W (BND-2008W000): <=FM, Mitsubishi Electric E80 (BND-2009W000): <=FM, Mitsubishi Electric C80 (BND-2036W000): vers:all/*, Mitsubishi Electric M750VW (BND-1015W002): vers:all/*, Mitsubishi Electric M730VW (BND-1015W000): vers:all/*, Mitsubishi Electric M720VW (BND-1015W000): vers:all/*, Mitsubishi Electric M750VS (BND-1012W002): vers:all/*, Mitsubishi Electric M730VS (BND-1012W000): vers:all/*, Mitsubishi Electric M720VS (BND-1012W000): vers:all/*, Mitsubishi Electric M70V (BND-1018W000): vers:all/*, Mitsubishi Electric E70 (BND-1022W000): vers:all/*, Mitsubishi Electric NC Trainer2 (BND-1802W000): vers:all/*, Mitsubishi Electric NC Trainer2 plus (BND-1803W000): vers:all/*
known_affected
Remediations
Vendor fix
Please apply the fixed version (BC or later) for Mitsubishi Electric M800VW(BND-2051W000), M800VS(BND-2052W000), M80V(BND-2053W000), and M80VW(BND-2054W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.
Vendor fix
Please apply the fixed version (FN or later) for Mitsubishi Electric M800W(BND-2005W000), M800S(BND-2006W000), M80(BND-2007W000), M80W(BND-2008W000), and E80(BND-2009W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.
Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall or virtual private network (VPN) to prevent unauthorized access, when internet access is required, to minimize the risk of exploiting this vulnerability.
M
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: