Mitsubishi Electric Factory Automation Products Path Traversal (Update C)

Risk Summary

Successful exploitation of this vulnerability may allow an attacker to obtain unauthorized information, tamper the information, and cause a denial-of-service condition.

CVEs (1)

Remediations

• CW Configurator: Version 1.011M or later
• FR Configurator2: Version 1.23Z or later
• GX Works2: Version 1.596W or later
• GX Works3: Version 1.065T or later
• MELSEC iQ-R Series Motion Module: Version 12 and later
• MELSOFT iQ AppPortal: Version 1.20W or later
• MELSOFT Navigator: Versions 2.74C or later
• MI Configurator: Versions 1.005F or later
• MR Configurator2: Versions 1.115V or later
• MT Works2: Versions 1.160S or later
• MX Component: Versions 4.21X or later
• RT ToolBox3: Versions 1.80J or later
• Reference Mitsubishi Electric
• Make sure the file is obtained from the correct acquisition route when receiving a project file or a configuration data file from another person via email, USB memory, file server, etc.; or check that there is no file of unknown source.
• Operate the products under an account that does not have administrator privileges. Except for MELSEC iQ-R Series Motion Module.
• Install an antivirus software in computers using the products. Except for MELSEC iQ-R Series Motion Module.
• Restrict network exposure for all control system devices or systems to the minimum necessary and ensure they are not accessible from untrusted networks and hosts.
• Locate control system networks and remote devices behind firewalls and isolate them from the business network.
• Use virtual private network (VPN) when remote access is required.
• Additional information about the vulnerability or Mitsubishi Electric's compensating control is available by contacting a Mitsubishi Electric representative.

Affected Vendors

Affected Products (12)

Affected Sectors

Critical Manufacturing