Mitsubishi Electric Automation MX Component V3 ActiveX Vulnerability
Act NowICS-CERT ICSA-13-140-01Feb 21, 2013
Summary
Mitsubishi Electric Automation MX Component V3 contains an ActiveX control vulnerability (CWE-122) that could allow remote code execution. The vulnerability affects Automation MX Component v3, CitectFacilities v7.10 and earlier, and CitectSCADA v7.0 and earlier. No vendor fix is available for any affected product.
What this means
What could happen
An attacker could execute arbitrary code on engineering workstations or HMI systems running vulnerable versions, potentially allowing them to modify control logic, alter setpoints, or disrupt normal plant operations.
Who's at risk
This affects utility and manufacturing operations using Mitsubishi Electric SCADA and HMI systems for supervisory control and data acquisition. Specifically impacts sites running CitectSCADA v7.0 or earlier, CitectFacilities v7.10 or earlier, or Automation MX Component v3—common choices for power generation, water treatment, and industrial process control.
How it could be exploited
An attacker could craft a malicious web page or document containing the vulnerable ActiveX control. If an engineering workstation user opens this page or document in a web browser with ActiveX enabled, the attacker's code executes with the user's privileges on that workstation.
Prerequisites
- Engineering workstation or HMI system running vulnerable versions
- ActiveX enabled in web browser
- User opens attacker-controlled web page or document
- No network isolation between engineering network and untrusted sources
No vendor fix availableHigh EPSS score (29.7%)Remotely exploitable via web browserAffects engineering and control workstations
Exploitability
High exploit probability (EPSS 29.7%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
Automation MX Component: 33No fix (EOL)
CitectSCADA: <=v7.0≤ v7.0No fix (EOL)
CitectFacilities: <=v7.10≤ v7.10No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDisable ActiveX controls in Internet Explorer and other browsers on engineering workstations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXEvaluate migration to newer Mitsubishi Electric or alternative SCADA/HMI platforms that receive security updates
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Automation MX Component: 3, CitectSCADA: <=v7.0, CitectFacilities: <=v7.10. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate engineering workstations from general-purpose networks and internet access
HARDENINGRestrict web browsing on engineering workstations to only trusted, internal sites
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b89c9279-599b-480a-828c-b75a5ecfec23