Mitsubishi Electric EcoWebServerIII

Plan Patch7.5ICS-CERT ICSA-22-055-02Feb 24, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric EcoWebServerIII devices (MES3-255C-EN, MES3-255C-DM-EN, MES3-255C-CN, MES3-255C-DM-CN) versions 3.0.0 through 3.3.0 contain multiple vulnerabilities that allow cross-site scripting (CWE-79), uncontrolled resource consumption (CWE-400), and improper access control (CWE-915). Successful exploitation could allow information disclosure, data tampering, or denial of service. No known public exploits exist at the time of this advisory.

What this means

What could happen

An attacker with network access to an EcoWebServerIII unit could disclose sensitive information, modify process data, or cause the web server to become unresponsive, disrupting monitoring and control of industrial processes.

Who's at risk

Energy sector operators using Mitsubishi Electric EcoWebServerIII units (MES3-255C series) for web-based monitoring and control should prioritize this update. These devices are commonly deployed in electrical substations, distribution automation systems, and generation facilities where they provide remote visibility and management capabilities.

How it could be exploited

An attacker on the network sends a specially crafted request to the EcoWebServerIII web interface. The vulnerability allows the attacker to inject content (CWE-79), trigger resource exhaustion (CWE-400), or access sensitive functions without proper checks (CWE-915), resulting in information disclosure, data tampering, or denial of service.

Prerequisites

Network access to the EcoWebServerIII device (port 80/443 or equivalent HTTP/HTTPS)

remotely exploitableno authentication requiredlow complexityno patch available (at time of advisory)affects SCADA/HMI monitoring

Exploitability

Moderate exploit probability (EPSS 6.0%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

MES3-255C-DM-CN:≥ 3.0.0 | ≤ 3.3.03.3.1

MES3-255C-DM-EN:≥ 3.0.0 | ≤ 3.3.03.3.1

MES3-255C-EN:≥ 3.0.0 | ≤ 3.3.03.3.1

MES3-255C-CN:≥ 3.0.0 | ≤ 3.3.03.3.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement firewall rules to restrict network access to EcoWebServerIII from untrusted networks; allow only known management and monitoring hosts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected MES3-255C models to version 3.3.1 or later

Long-term hardening

0/2

HARDENINGDeploy VPN or other network segregation to isolate EcoWebServerIII from the internet and untrusted network segments

HARDENINGRestrict EcoWebServerIII to operate only within trusted LAN segments; block all external access by default

CVEs (3)

CVE-2016-10735 CVE-2018-14040 CVE-2018-14042

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5af4fc7-85af-4380-8098-5384d91e77d5