ICSA-22-333-05 · Published 2025-11-25 · View on CISA ICS-CERT ↗

Mitsubishi Electric FA Engineering Software (Update C)

CVSS 9.1 CRITICAL

Risk Summary

Successful exploitation of these vulnerabilities could allow unauthorized users to gain access to the MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module or to view and execute programs or view project files without permissions.

CVEs (10)

CVE-2022-25164 CVE-2022-29826 CVE-2022-29825 CVE-2022-29831 CVE-2022-29833 CVE-2022-29827 CVE-2022-29828 CVE-2022-29829 CVE-2022-29830 CVE-2022-29832

Remediations

Mitsubishi Electric released and recommends users update to the latest version:
GX Works3:
CVE-2022-25164, CVE-2022-29830, and CVE-2022-29831: Download fixed Ver. 1.096A or later. Then set security version for project to "2".
MX OPC UA Module Configurator-R:
CVE-2022-25164: Download fixed Ver. 1.09K or later. Update the firmware version of the OPC UA server module to 10 or later.
GT Designer3 Version1 (GOT2000):
Motion Control Setting:
For all other listed vulnerabilities, Mitsubishi Electric released mitigations/workarounds for users to follow:
Ensure malicious actors cannot access project files, configuration files, security keys stored on the host machine via untrusted networks or hosts.
Install antivirus software on the host machine running the software.
Encrypt project files and security keys when sending or receiving over the Internet.
Use the "authentication with a certificate" function instead of "username / password authentication" for user authentication for access from OPC UA clients to MELSEC iQ-R series OPC UA server modules (MX OPC UA Module Configurator-R only).
For specific update instructions and additional details, see the Mitsubishi Electric advisory.
CVE-2022-29826: Download fixed Ver. 1.090U or later
CVE-2022-29826 and CVE-2022-29829: Download fixed Ver. 1.045X or later. Apply CVE-2022-29826 or CVE-2022-29829 mitigations for GX Works3 as well.
CVE-2022-29825 and CVE-2022-29829: Download fixed Ver. 1.095Z or later. Then set security key's secure mode to Enabled.
CVE-2022-29825 and CVE-2022-29829: Download fixed Ver. 1.295H or later. Then set security key's secure mode to Enabled.
MT Works2:
CVE-2022-29825 and CVE-2022-29829: Download fixed Ver. 1.205P or later and update the software. Then set security key's secure mode to Enabled.Please refer "MT Developer2 Help" – "Security Function" – "Manage Security Key" for details.
CVE-2022-29830: Download fixed Ver. 1.070Y or later and update the software. Set security version for project to "2". Refer "Motion Control Setting Function Help" – "12.5. Preventing Illegal Access to/Falsification of Data (Security Version)" for details. Apply the countermeasure for CVE-2022-29830 listed in GX Works3.

Affected Vendors

Mitsubishi Electric

Affected Products (13)

Mitsubishi Electric · GX Works3 >=1.000A|<1.011M

Mitsubishi Electric · GX Works3 >=1.015R|<1.087R

Mitsubishi Electric · GX Works3 1.090U

Mitsubishi Electric · GX Works3 1.095Z

Mitsubishi Electric · GX Works3 >=1.096A

Mitsubishi Electric · MX OPC UA Module Configurator-R <=1.08J

Mitsubishi Electric · GX Works2 vers:all/*

Mitsubishi Electric · GX Developer >=8.40S

Mitsubishi Electric · GT Designer3 Version1 (GOT2000) >=1.122C|<1.290C

Mitsubishi Electric · Motion Control Settings (GX Works3 related software) >=1.000A|<1.033K

Mitsubishi Electric · Motion Control Settings (GX Works3 related software) >=1.035M|<1.042U

Mitsubishi Electric · Motion Control Settings (GX Works3 related software) >=1.045X|<1.065T

Mitsubishi Electric · MT Works2 >=1.100E|<1.200J

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more