1. EXECUTIVE SUMMARY
- CVSS v3 9.8
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: EZSocket, FR Configurator2, GT Designer3 Version1(GOT1000), GT Designer3 Version1(GOT2000), GX Works2, GX Works3, MELSOFT Navigator, MT Works2, MX Component, MX OPC Server DA/UA (Software packaged with MC Works64)
- Vulnerabilities: Missing Authentication for Critical Function, Unsafe Reflection
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker to disclose, tamper with, destroy or delete information in the products, or cause a denial-of-service (DoS) condition on the products.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric FA Engineering Software Products, are affected:
- EZSocket: Versions 3.0 and later
- FR Configurator2: All versions
- GT Designer3 Version1(GOT1000): All versions
- GT Designer3 Version1(GOT2000): All versions
- GX Works2: Versions 1.11M and later
- GX Works3: All versions
- MELSOFT Navigator: Versions 1.04E and later
- MT Works2: All versions
- MX Component: Versions 4.00A and later
- MX OPC Server DA/UA (Software packaged with MC Works64): All versions
3.2 Vulnerability Overview
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
A remote unauthenticated attacker may be able to bypass authentication by sending specially crafted packets and connect to the products.
CVE-2023-6942 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.2 […]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: