1. EXECUTIVE SUMMARY
- CVSS v3 7.0
- ATTENTION: Exploitable from a local network
- Vendor: Mitsubishi Electric
- Equipment: CNC Series
- Vulnerability: Uncontrolled Search Path Element
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to execute malicious code by getting setup-launcher to load a malicious DLL.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric CNC Series are affected:
- NC Designer2: All versions
- NC Designer: All versions
- NC Configurator2: All versions
- NC Analyzer2: All versions
- NC Analyzer: All versions
- NC Explorer: All versions
- NC Monitor2: All versions
- NC Monitor: All versions
- NC Trainer2: “AB” and prior
- NC Trainer2 plus: “AB” and prior
- NC Trainer: All versions
- NC Trainer plus: All versions
- NC Visualizer: All versions
- Remote Monitor Tool: All versions
- MS Configurator: All versions
- Mitsubishi Electric Numerical Control Device Communication Software (FCSB1224): All versions
- Mitsubishi Electric CNC communication software runtime library M70LC/M730LC: All versions
- NC Virtual Simulator: All versions
3.2 Vulnerability Overview
3.2.1 UNCONTROLLED SEARCH PATH ELEMENT CWE-427
Malicious code execution vulnerability via DLL hijacking due to Uncontrolled Search Path Element (CWE-427) exists in Flexera InstallShield used in multiple software tools and industrial IoT-related products for Mitsubishi Electric CNC Series.
CVE-2016-2542 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.0 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories