Mitsubishi Electric Factory Automation Products Path Traversal (Update C)

Plan PatchCVSS 8.3ICS-CERT ICSA-20-212-03Jul 30, 2020

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Mitsubishi Electric Factory Automation Products contain a path traversal vulnerability that allows an attacker to read arbitrary files, modify files, or cause denial of service on engineering workstations running affected software. The vulnerability exists in software configuration and development tools including GX Works2, GX Works3, MT Works2, MELSEC iQ-R Motion Module configurator, FR Configurator2, CW Configurator, MI Configurator, MELSOFT Navigator, RT ToolBox3, MR Configurator2, MELSOFT iQ AppPortal, and MX Component.

What this means

What could happen

An attacker could trick an engineer into opening a malicious project or configuration file, leading to unauthorized access to engineering data, tampering with control system configurations before they are deployed, or disrupting the engineering environment. This could allow modification of PLC logic, I/O settings, or safety parameters without detection.

Who's at risk

Engineering staff and IT personnel at utilities and manufacturing sites using Mitsubishi Electric factory automation tools. Specifically affects organizations using GX Works2/GX Works3 (PLC programming), MT Works2 (motion control), MELSEC iQ-R Motion Module configurators, FR/CW/MI/MR Configurators, MELSOFT Navigator, RT ToolBox3, MELSOFT iQ AppPortal, or MX Component for programming and configuring industrial control systems and PLCs.

How it could be exploited

An attacker crafts a malicious project file or configuration file with specially formatted paths and sends it to an engineer via email, USB, or file share. When the engineer opens the file in the affected Mitsubishi software, the path traversal flaw allows the attacker's code or commands to execute in the context of the engineering workstation, reading or modifying files outside the project directory.

Prerequisites

User interaction required: engineer must open a malicious file attachment or from untrusted source
File must be opened in one of the affected software versions
No special network access required; attack is file-based and local to the workstation

User interaction requiredAttack surface includes all staff with engineering software accessPath traversal can lead to control system configuration tamperingNo patch available for multiple products as of advisory date

Exploitability

Some exploitation risk — EPSS score 1.3%

Affected products (12)

12 with fix

ProductAffected VersionsFix Status

MELSEC iQ-R Series Motion Module:≤ 1012+

FR Configurator2:≤ 1.22Y1.23Z+

CW Configurator:≤ 1.010L1.011M+

MI Configurator versions: 1.004E and prior≤ 1.004E1.005F+

MELSOFT Navigator: 2.70Y and prior≤ 2.70Y2.74C+

GX Works3:≤ 1.063R1.065T+

MR Configurator2 Version: 1.110Q and prior≤ 1.110Q1.115V+

MELSOFT iQ AppPortal:≤ 1.17T1.20W+

Remediation & Mitigation

0/17

Do now

0/2

HARDENINGRun engineering software under standard user accounts without administrator privileges (except MELSEC iQ-R Motion Module)

WORKAROUNDRequire staff to verify the source of project files and configuration data before opening, especially files received via email, USB, or file servers

Schedule — requires maintenance window

0/13

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGRestrict network access to engineering workstations and isolate them from untrusted networks

HARDENINGUse VPN for any remote access to engineering systems

CVEs (1)

CVE-2020-14523

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/25130006-4080-4149-834a-04285d904c46

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.