← Back to home
ICSA-20-182-02  ·  Published 2020-06-30  ·  View on CISA ICS-CERT ↗

Mitsubishi Electric Factory Automation Engineering Software Products

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could allow a local attacker to send files outside of the system as well as cause a denial-of-service condition.

CVEs (2)

Remediations

  • Mitsubishi Electric recommends that affected users download the latest version of each software product from the following site and update it: https://www.mitsubishielectric.com/fa/#software
  • CPU Module Logging Configuration Too: Version 1.100E or later
  • CW Configurator: Version 1.011M or later
  • EM Software Development Kit (EM Configurator): Version 1.015R or later
  • GT Designer3 (GOT2000): Version 1.225K or later
  • GX LogViewer: Version 1.100E or later
  • GX Works2: Version 1.590Q or later
  • GX Works3: Version 1.060N or later
  • M_CommDTM-HART: Version 1.01B or later
  • M_CommDTM-IO-Link: Version 1.03D or later
  • MELFA-Works: Version 4.4 or later
  • MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool: Version 1.005F or later
  • MELSOFT FieldDeviceConfigurator: Version 1.04E or later
  • MELSOFT iQ AppPortal: Version 1.14Q or later
  • MELSOFT Navigator: Version 2.62Q or later
  • MI Configurator: Version 1.004E or later
  • Motion Control Setting: Version 1.006G or later
  • MR Configurator2: Version 1.100E or later
  • MT Works2: Version 1.160S or later
  • RT ToolBox2: Version 3.73B or later
  • RT ToolBox3: Version 1.60N or later
  • Make sure that the file is obtained from the correct acquisition route when users receive a project file or a configuration data file from another person via mail, USB memory, file server, etc. (Or, check that there is no file of unknown source.)
  • Operate the products under an account that does not have administrative privileges.
  • Install an antivirus software in your personal computer using the products.
  • Restrict network exposure for all control system devices or systems to the minimum necessary, and ensure that they are not accessible from untrusted networks and hosts.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • Use Virtual Private Network (VPN) when remote access is required.

Affected Vendors

Mitsubishi Electric

Affected Products (20)

Mitsubishi Electric · MELSOFT FieldDeviceConfigurator <= 1.03D
Mitsubishi Electric · RT ToolBox3 <= 1.50C
Mitsubishi Electric · GX Works2 <= 1.586L
Mitsubishi Electric · CW Configurator <= 1.010L
Mitsubishi Electric · RT ToolBox2 <= 3.72A
Mitsubishi Electric · GT Designer3 (GOT2000) <= 1.221F
Mitsubishi Electric · MELSOFT iQ AppPortal <= 1.11M
Mitsubishi Electric · MI Configurator <= 1.003D
Mitsubishi Electric · GX Works3 <= 1.058L
Mitsubishi Electric · CPU Module Logging Configuration Tool <= 1.94Y
Mitsubishi Electric · MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool <= 1.004E
Mitsubishi Electric · MELFA-Works <= 4.3
Mitsubishi Electric · Motion Control Setting <= 1.005F
Mitsubishi Electric · M_CommDTM-IO-Link <= 1.02C
Mitsubishi Electric · EM Software Development Kit (EM Configurator) <= 1.010L
Mitsubishi Electric · MR Configurator2 <= 1.72A
Mitsubishi Electric · M_CommDTM-HART 1.00A
Mitsubishi Electric · MT Works2 <= 1.156N
Mitsubishi Electric · MELSOFT Navigator <= 2.58L
Mitsubishi Electric · GX LogViewer <= 1.96A

Affected Sectors

Multiple

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more