← Back to home
ICSA-24-004-02  ·  Published 2024-01-04  ·  View on CISA ICS-CERT ↗

Mitsubishi Electric Factory Automation Products

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of these vulnerabilities could disclose information in the product or could cause denial-of-service (DoS) condition.

CVEs (3)

Remediations

  • Mitsbuishi Electric recommends that users update their products to the following versions:
  • GT SoftGOT2000: Version 1.295H or later
  • OPC UA data collector: 1.05F or later
  • MX OPC Server UA: Use recommended mitigations/workarounds
  • OPC UA server unit: Use recommended mitigations/workarounds
  • FX5-OPC: Version 1.010 or later
  • Mitsubishi Electric recommends that users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:
  • GT SoftGOT2000 and OPC UA Data Collector: Do not load untrusted certificate revocation lists (CRLs).
  • MX OPC Server UA: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • OPC UA Server Unit: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Set a security policy other than 'None' in security setting function to prevent unauthorized access. For details on security setting function, please refer to the MELSEC iQ-R OPC UA Server Unit User's Manual (Application), section 1.1 "OPC UA Server Function".
  • FX5-OPC: Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the product, as well as to computers and network devices located within the same network as the product. Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use the IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the MELSEC iQ-F FX5 OPC UA Module User's Manual section 4.4 "IP Filter." Do not import untrusted certificates.
  • For additional details, see the Mitsubishi Electric advisory 2023-018.

Affected Vendors

Mitsubishi Electric

Affected Products (5)

Mitsubishi Electric · GT SoftGOT2000 >=1.275M|<1.290C
Mitsubishi Electric · OPC UA Data Collector <=1.04E
Mitsubishi Electric · MX OPC Server UA (Software packaged with MC Works64) >=3.05F_Packaged_with_MC_Works64_4.03D
Mitsubishi Electric · OPC UA Server Unit vers:all/*
Mitsubishi Electric · FX5-OPC <=1.006_

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more