Mitsubishi Electric GOT (Update A)

Monitor5.9ICS-CERT ICSA-21-112-02Apr 22, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A VNC server authentication bypass vulnerability exists in Mitsubishi Electric GOT2000 and GOT SIMPLE series human-machine interface devices. The VNC server fails to properly verify credentials during the login process, allowing an attacker to gain unauthorized access without a valid password. The vulnerability affects multiple model variants with different vulnerable versions and patched versions. High attack complexity is required to exploit this vulnerability; no known public exploits exist. GOT2000 GT27 and GT25 models have no fix available. GOT2000 GT21 models (GT2107-WTBD and GT2107-WTSD) and GOT SIMPLE GS21 models (GS2110-WTBD-N and GS2107-WTBD-N) have patches available.

What this means

What could happen

An attacker could bypass authentication on the VNC server in these Mitsubishi GOT human-machine interface (HMI) devices, potentially gaining unauthorized access to control console functionality and process visibility or parameters.

Who's at risk

Energy sector organizations operating Mitsubishi Electric GOT2000 and GOT SIMPLE series HMI devices should assess this vulnerability. Affected equipment includes: GT27, GT25, and GT21 (GT2107-WTBD, GT2107-WTSD) models in GOT2000 series, and GS21 (GS2110-WTBD-N, GS2107-WTBD-N) models in GOT SIMPLE series. This affects control room console access and monitoring capabilities.

How it could be exploited

An attacker with network access to the VNC server port (typically 5900) could send crafted authentication requests that bypass the login mechanism due to improper credential verification. This requires knowledge of the specific VNC server implementation and custom payloads, but does not require valid credentials or user interaction.

Prerequisites

Network access to the VNC server port on the affected GOT device
High attack complexity required—attacker must craft specific authentication bypass payloads

remotely exploitableno authentication required (bypass)no patch available for GT25 and GT27 modelsaffects control system visualization and monitoring

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (6)

4 with fix2 EOL

ProductAffected VersionsFix Status

GT2107-WTSD VNC server:≤ 01.40.00001.41.000 or later

GT25 model VNC server:≤ 01.39.010No fix (EOL)

GT2107-WTBD VNC server:≤ 01.40.00001.41.000 or later

GS2110-WTBD-N VNC server:≤ 01.40.00001.41.000 or later

GT27 model VNC server:≤ 01.39.010No fix (EOL)

GS2107-WTBD-N VNC server:≤ 01.40.00001.41.000 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to the VNC server port on GOT devices to only trusted networks and hosts until patching is complete

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade VNC server to patched version: GT27 and GT25 models to 01.40.000 or later; GT2107-WTBD and GT2107-WTSD to 01.41.000 or later; GS2110-WTBD-N and GS2107-WTBD-N to 01.41.000 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: GT25 model VNC server:, GT27 model VNC server:. Apply the following compensating controls:

HARDENINGPlace GOT HMI devices behind a firewall and isolate from business networks; do not expose to the Internet

HARDENINGFor required remote access, use a VPN to the facility network rather than direct exposure of the VNC port

CVEs (1)

CVE-2021-20590

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/77d4c7a8-976b-43a5-8254-4ca3cafe4373