1. EXECUTIVE SUMMARY
- CVSS v3 5.3
- ATTENTION: Exploitable remotely/low attack complexity
- Equipment: MELSEC iQ-F Series
- Vulnerability: Improper Restriction of Excessive Authentication Attempts
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a remote attacker to prevent legitimate users from logging into the web server function for a certain period, resulting in a denial-of-service condition. The impact of this vulnerability will persist while the attacker continues to attempt the attack.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Mitsubishi Electric MELSEC iQ-F Series products are affected (Products with * are sold in limited regions):
- FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 17X**** and later): All versions
- FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 179**** and prior): Versions 1.060 or later
- FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 17X**** and later): All versions
- FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 179**** and prior): Versions 1.060 or later
- FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
- FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,DS,ESS,DSS: All versions
- FX5UJ-xMy/ES-A* x=24,40,60, y=T,R: All versions
- FX5S-xMy/z x=30,40,60,80*, y=T,R, z=ES,ESS: All versions
3.2 Vulnerability Overview
3.2.1 IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307
A denial-of-service vulnerability exists in the web server function of the MELSEC iQ-F Series CPU module, which could allow an attacker to prevent legitimate users from logging in to the web server function for a certain period of time. The impact of this vulnerability will persist while the attacker continues to attempt the attack.
CVE-2023-4625 has been assigned to this vulnerability. A CVSS v3.1 base score of 5
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: