Mitsubishi Electric Factory Automation Engineering Products
Plan Patch8.3ICS-CERT ICSA-20-212-04Jul 30, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
Mitsubishi Electric factory automation engineering software products are vulnerable to arbitrary code execution when processing specially crafted files. The vulnerability affects a broad range of tools including GX Works2/3, GT Designer (all versions), MX Component, RT ToolBox, MELFA-Works, CC-Link utilities, and many others. An attacker who can trick a user into opening a malicious file on a Windows machine running one of these tools could execute arbitrary code with the privileges of the logged-in user. The CVSS score is 8.3 with high impact on confidentiality, integrity, and availability. This is a follow-up to the original advisory published in August 2020; the list of affected products has expanded significantly, and no vendor patches are currently available.
What this means
What could happen
An attacker could execute arbitrary code on engineering workstations running Mitsubishi Electric factory automation software, potentially gaining control over connected PLCs, motion controllers, and HMI systems to alter process parameters or halt operations.
Who's at risk
This affects all organizations using Mitsubishi Electric factory automation engineering and monitoring software, including energy utilities, water authorities, and manufacturers. The vulnerability impacts software tools used to configure, monitor, and maintain PLCs (MELSEC CPUs), motion controllers (MELFA), HMI/GOT systems, CC-Link and CC-Link IE network interfaces, and MTConnect data collectors. Any operator or engineer who uses these tools on a Windows workstation is at risk.
How it could be exploited
An attacker tricks a user into opening a malicious file (e.g., via email or a compromised website) on a Windows machine running one of the affected Mitsubishi software tools. The file exploits a code execution vulnerability during application startup or file processing. Once the attacker has code execution on the workstation, they could interact with connected factory automation devices (PLCs, drives, network interfaces) over Ethernet or proprietary protocols like CC-Link.
Prerequisites
- User must open a malicious file on a Windows machine running one of the affected Mitsubishi engineering tools
- Attacker must craft a file that triggers the vulnerability (high complexity)
- Engineering workstation must have network access to factory automation devices (PLCs, motion controllers, I/O boards) for lateral movement
remotely exploitable via malicious file attachment or downloaduser interaction required (user must open file)high attack complexity (attacker must craft specific payload)affects engineering workstations with access to control systemsno patch available for any affected productimpacts safety-critical system configuration tools
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (47)
47 pending
ProductAffected VersionsFix Status
Network Interface Board CC-Link Ver.2 Utility:≤ 1.23ZNo fix yet
CC-Link IE Field Network Data Collector:1.00ANo fix yet
Position Board utility 2: all versionsAll versionsNo fix yet
MI Configurator:≤ 1.004ENo fix yet
CPU Module Logging Configuration Tool:≤ 1.100ENo fix yet
Remediation & Mitigation
0/6
Do now
0/3WORKAROUNDOperate all Mitsubishi engineering and monitoring software under standard user accounts without administrator privileges
HARDENINGInstall and maintain antivirus software on all computers running affected Mitsubishi products
HARDENINGRestrict network access to engineering workstations; ensure they are not reachable from untrusted networks or the internet
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXDownload and install the latest version of each affected Mitsubishi software product from the official Mitsubishi Electric website
HARDENINGRequire VPN authentication for any remote access to engineering workstations or control networks
Long-term hardening
0/1HARDENINGPlace factory automation control networks behind firewalls and isolate them from general IT networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/68d848b8-27e3-4db5-9f75-57562b63f04b