Mitsubishi Electric FR Configurator2

Plan Patch7.1ICS-CERT ICSA-19-204-01Jul 23, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

FR Configurator2 contains two vulnerabilities in file parsing logic: an XML external entity (XXE) flaw (CWE-611) that allows reading arbitrary files, and a denial-of-service flaw (CWE-400) triggered by malformed input. These vulnerabilities affect FR Configurator2 version 1.16S and earlier. Exploitation requires local file system access and user interaction to open a malicious configuration file. No remote exploitation is possible.

What this means

What could happen

An attacker with local access to a machine running FR Configurator2 could read arbitrary files from the system or cause the application to crash, potentially disrupting configuration and monitoring of Mitsubishi Electric inverters used in solar and renewable energy installations.

Who's at risk

Organizations operating solar inverters, renewable energy systems, and power management installations using Mitsubishi Electric FR inverter series should assess their reliance on FR Configurator2 for device configuration and monitoring. Engineering and operations staff who use this tool on laptops or desktops are the primary users at risk.

How it could be exploited

An attacker must obtain local code execution or file system access on a workstation running FR Configurator2. The attack vector requires user interaction: the attacker delivers a malicious file (via USB, email attachment, or shared network folder) and tricks the operator into opening it with FR Configurator2, triggering XML external entity expansion (XXE) or other file parsing flaws.

Prerequisites

Local access to the workstation running FR Configurator2
User interaction required (opening a malicious file)
FR Configurator2 version 1.16S or earlier

local attack onlyuser interaction requiredno authentication requiredCWE-611 (XXE)affects engineering workstations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (1)

ProductAffected VersionsFix Status

FR Configurator2:≤ 1.16S1.17T

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDo not open configuration files from untrusted sources in FR Configurator2; validate source and content before opening

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade FR Configurator2 to version 1.17T or later

Long-term hardening

0/2

HARDENINGImplement file integrity monitoring and access controls on configuration workstations

HARDENINGRestrict local administrative access to engineering workstations to minimize risk of malicious file introduction

CVEs (2)

CVE-2019-10976 CVE-2019-10972

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9d0732af-1056-4902-8fbb-b7a07d63b55b