Mitsubishi Electric Factory Automation Engineering Software Products
MonitorCVSS 7.5ICS-CERT ICSA-20-182-02Jun 30, 2020
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Mitsubishi Electric factory automation engineering software products contain XML external entity (XXE) injection (CWE-611) and improper resource management (CWE-400) vulnerabilities in how they parse project and configuration files. These flaws allow a local attacker to read arbitrary files from an engineering workstation or cause the software to crash by supplying a specially crafted configuration file. Affected products include GX Works2/3 (PLC programming), RT ToolBox2/3 (industrial controller engineering), MELFA-Works (robot programming), GT Designer3 (HMI design), and numerous device configuration tools for I/O modules, motion controllers, and safety relays.
What this means
What could happen
An attacker with local access could exploit XML parsing flaws or resource exhaustion to exfiltrate configuration files from engineering workstations or crash the design tool, interrupting PLC/robot/manufacturing device programming and commissioning activities.
Who's at risk
Engineering teams in the energy sector (and other industries) using Mitsubishi Electric factory automation tools. This includes PLC programmers and configuration engineers using GX Works2/3, RT ToolBox, robot engineers using MELFA-Works, and those configuring I/O modules, safety controllers, or motion controllers. Any facility that programs or maintains Mitsubishi MELSEC PLCs, industrial robots, or smart I/O devices is potentially affected.
How it could be exploited
An attacker delivers a malicious project or configuration file (via email, USB, or file share) to an engineer using one of the affected Mitsubishi tools. When the engineer opens the file, the XML parsing vulnerability (CWE-611) is triggered, allowing the attacker to read arbitrary files from the workstation or cause a denial-of-service crash (CWE-400). No credentials or special access required—just social engineering to deliver the file.
Prerequisites
- Local access to an engineering workstation with one of the affected Mitsubishi tools installed
- User must open a malicious project or configuration file
- File delivery via email, USB, network share, or other means
No authentication required to exploit (file-based)Low complexity attack (deliver file and wait for user to open it)Affects 20 widely-used engineering toolsNo patch available at time of advisory (though patches have since been released)Exfiltration and denial-of-service impact on engineering capability
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (20)
20 pending
ProductAffected VersionsFix Status
MELSOFT FieldDeviceConfigurator:≤ 1.03DNo fix yet
RT ToolBox3:≤ 1.50CNo fix yet
GX Works2:≤ 1.586LNo fix yet
CW Configurator:≤ 1.010LNo fix yet
RT ToolBox2:≤ 3.72ANo fix yet
Remediation & Mitigation
0/25
Do now
0/3WORKAROUNDOperate all Mitsubishi software tools and engineering workstations under non-administrative user accounts
WORKAROUNDInstall antivirus software on all engineering workstations running these tools
WORKAROUNDEducate engineers to verify the source of project and configuration files before opening them; reject files from unknown sources
Schedule — requires maintenance window
0/20Patching may require device reboot — plan for process interruption
EM Software Development Kit (EM Configurator):
HOTFIXUpdate EM Software Development Kit (EM Configurator) to version 1.015R or later
GT Designer3 (GOT2000):
HOTFIXUpdate GT Designer3 (GOT2000) to version 1.225K or later
All products
HOTFIXUpdate CPU Module Logging Configuration Tool to version 1.100E or later
HOTFIXUpdate CW Configurator to version 1.011M or later
HOTFIXUpdate GX LogViewer to version 1.100E or later
HOTFIXUpdate GX Works2 to version 1.590Q or later
HOTFIXUpdate GX Works3 to version 1.060N or later
HOTFIXUpdate M_CommDTM-HART to version 1.01B or later
HOTFIXUpdate M_CommDTM-IO-Link to version 1.03D or later
HOTFIXUpdate MELFA-Works to version 4.4 or later
HOTFIXUpdate MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool to version 1.005F or later
HOTFIXUpdate MELSOFT FieldDeviceConfigurator to version 1.04E or later
HOTFIXUpdate MELSOFT iQ AppPortal to version 1.14Q or later
HOTFIXUpdate MELSOFT Navigator to version 2.62Q or later
HOTFIXUpdate MI Configurator to version 1.004E or later
HOTFIXUpdate Motion Control Setting to version 1.006G or later
HOTFIXUpdate MR Configurator2 to version 1.100E or later
HOTFIXUpdate MT Works2 to version 1.160S or later
HOTFIXUpdate RT ToolBox2 to version 3.73B or later
HOTFIXUpdate RT ToolBox3 to version 1.60N or later
Long-term hardening
0/2HARDENINGIsolate engineering workstations on a separate network segment from production control systems and the internet
HARDENINGImplement firewall rules to restrict network access to engineering workstations; block file sharing and email from untrusted networks
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0a7f972c-f316-4a17-99b9-c82d09fdd79aGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.