OTPulse
FeedAboutContact

ICSA-20-212-02_Mitsubishi Electric Multiple Factory Automation Engineering Software Products (Update A)

Plan Patch8.3ICS-CERT ICSA-20-212-02Jul 30, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

A vulnerability in multiple Mitsubishi Electric factory automation engineering software products allows arbitrary code execution when a user opens a specially crafted file. The vulnerability affects 33 products spanning PLC configuration tools (GX Works2/3), robot programming (MELFA-Works), motion control tools (RT ToolBox), communication middleware (MX Component), and network utility software. Most products are end-of-life with no patches available; Mitsubishi recommends installing a patched version of GX Works2, GX Works3, or MELSOFT Navigator in the same folder as mitigation, running tools under non-admin accounts, isolating engineering networks, and using antivirus software.

What this means
What could happen
An attacker could execute arbitrary code on engineering workstations running these Mitsubishi factory automation tools, potentially allowing them to modify PLC/robot configurations, alter control logic, or inject malicious code into deployed control systems.
Who's at risk
Factory automation engineers and technicians at utilities and industrial facilities using Mitsubishi Electric factory automation software, including those managing PLCs (MELSEC series), robots (MELFA), motion controllers, variable frequency drives, and network interface boards. This affects anyone who uses GX Works, GT Designer, MELFA-Works, RT ToolBox, MX Component, or associated configuration utilities.
How it could be exploited
An attacker sends a malicious file (likely via email or web) to an engineer using one of the affected Mitsubishi tools. When the engineer opens or processes the file in the tool, the vulnerability is triggered, allowing the attacker to run code with the privileges of the logged-in user. From there, the attacker can modify project files, inject commands into deployed PLCs or robots, or move laterally across the engineering network.
Prerequisites
  • User interaction required: engineer must open or process a malicious file in one of the affected tools
  • The affected Mitsubishi software tool must be installed on the workstation
  • Non-interactive exploitation possible if file is processed by batch scripts or automated workflows
Remotely exploitable via email or web deliveryUser interaction required but plausible (opening project files)High impact: can alter PLC logic and control system behaviorNo patches available for 30+ products—many end-of-lifeAffects safety and critical process control systemsMitsubishi is dominant in factory automation in utilities and manufacturing
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (33)
33 pending
ProductAffected VersionsFix Status
Data Transfer:≤ 3.40SNo fix yet
MELSOFT FieldDeviceConfigurator:≤ 1.03DNo fix yet
GT SoftGOT2000 Version1 Bersions: 1.235V and prior≤ 1.235VNo fix yet
MR Configurator2:≤ 1.105KNo fix yet
FR Configurator2:≤ 1.22YNo fix yet
Remediation & Mitigation
0/7
Do now
0/3
WORKAROUNDInstall patched version of at least one of GX Works2 (1.595V+), GX Works3 (1.065T+), or MELSOFT Navigator (2.70Y+) on PCs where unpatched products remain in use—this provides compensating protection to other tools in the same folder
HARDENINGRun all Mitsubishi factory automation tools under non-administrator user accounts
HARDENINGInstall and maintain antivirus software on all engineering workstations running Mitsubishi tools
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected Mitsubishi products to patched versions listed in the advisory (e.g., GX Works2 1.595V or later, GX Works3 1.065T or later, Data Transfer 3.41T or later)
HOTFIXFor products with no fix (MELSEC WinCPU Setting Utility), migrate to MELSEC iQ-R series with CW Configurator (Version 1.011M or later) as replacement
Long-term hardening
0/2
HARDENINGRestrict network access to engineering workstations: disable internet access where possible, segment the engineering network from production networks, and use firewall rules to limit inbound connections
HARDENINGRequire VPN for any remote access to engineering workstations or networks
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3a26f368-5c26-4e61-8576-955bd3219e7f