Mitsubishi Electric GOT2000 Series

Plan PatchCVSS 9.8ICS-CERT ICSA-20-189-02Jul 7, 2020

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Mitsubishi Electric GOT2000 series HMI devices (GT23, GT25, GT27 models) in the CoreOS component. The vulnerabilities include buffer overflow (CWE-119), memory corruption (CWE-476), improper input validation (CWE-20), and insufficient access controls (CWE-284). These flaws allow an attacker on the network to send a specially crafted message to the device and execute arbitrary code without requiring authentication or user interaction. Affected versions include all currently shipped versions of GOT2000 CoreOS.

What this means

What could happen

An attacker with network access to a GOT2000 series HMI could execute arbitrary code and gain full control of the device, potentially allowing manipulation of process parameters, alarms, and operator displays across connected industrial systems.

Who's at risk

Energy sector operators running Mitsubishi Electric GOT2000 series HMI (Human Machine Interface) devices for process monitoring and control, including GT23, GT25, and GT27 models. Operators at power generation facilities, substations, and distribution control centers that rely on these touchscreen controllers to monitor or command industrial processes are directly affected.

How it could be exploited

An attacker on the network sends a specially crafted packet to the GOT2000 HMI on the default port. The device does not properly validate the input due to buffer overflow and memory safety issues (CWE-119, CWE-476). This allows the attacker to execute arbitrary commands on the HMI with no authentication required, potentially affecting any process the HMI controls or monitors.

Prerequisites

Network access to the GOT2000 device on its management/communication port
Device must be reachable from the attacker's network segment
No credentials or user interaction required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.8)Affects HMI/control interface for critical processesNo patch currently available

Exploitability

Some exploitation risk — EPSS score 1.3%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

GT27 model: GOT2000 CoreOSAll versionsVersion -Z+

GT25 model: GOT2000 CoreOSAll versionsVersion -Z+

GT23 model: GOT2000 CoreOSAll versionsVersion -Z+

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDInstall firewall rules to restrict network access to GOT2000 devices to only authorized engineering workstations and control system devices that legitimately communicate with them

HARDENINGConduct network scan to identify any GOT2000 devices exposed to the internet or business network and document their locations and connected systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate CoreOS to Version -Z or later by installing MELSOFT GT Designer3 (2000) Version 1.240A or later, copying updated CoreOS to SD card, and inserting SD card into target GOT2000 unit

Long-term hardening

0/2

HARDENINGImplement network segmentation: place GOT2000 HMI devices on isolated OT/control network not accessible from business or internet-facing networks

HARDENINGIf remote access is required for engineering or monitoring, deploy VPN with current security patches and restrict VPN access to authorized personnel only

CVEs (6)

CVE-2020-5595 CVE-2020-5596 CVE-2020-5597 CVE-2020-5598 CVE-2020-5599 CVE-2020-5600

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/252c4ead-2f17-46b7-8217-de0a316c9606

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.