Mitsubishi Electric MELSEC iQ-R Series Safety CPU and SIL2 Process CPU (Update A)

Risk Summary

Successful exploitation of this vulnerability could allow a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than themselves.

CVEs (1)

Remediations

• When the affected products are used in the following combinations, an attack can be prevented by enabling "communicating with only the enhanced version of vulnerability management of GX Works3" when writing user information to the CPU module:
• MELSEC iQ-R Series Safety CPU versions 27 or later used with GX Works3 versions 1.087R or later.
• MELSEC iQ-R Series SIL2 Process CPU version 12 or later used with GX Works3 versions 1.105K or later.
• Mitsubishi Electric recommends that users of MELSEC iQ-R Series Safety CPU (version 26 and prior) or MELSEC iQ-R Series SIL2 Process CPU (version 11 and prior) take the following mitigation measures to minimize the risk of exploiting this vulnerability because updating the product to the enhanced version of vulnerability management is not available:
• Use a firewall or virtual private network (VPN), etc., to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Use IP filter function to block access from untrusted hosts. For details on the IP filter function, please refer to the following manual for each product. "1.13 Security" - "IP filter" in the MELSEC iQ-R Ethernet User's Manual(Application).
• Restrict physical access to the affected product as well as to the personal computers and the network devices that can communicate with it.
• Install antivirus software on your personal computer that can access the affected product.
• For specific update instructions and additional details, see Mitsubishi Electric advisory 2023-021..

Affected Vendors

Affected Products (8)

Affected Sectors

Critical Manufacturing