Mitsubishi Electric FA Engineering Software (Update C)
Act Now9.1ICS-CERT ICSA-22-333-05Dec 5, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Mitsubishi Electric FA Engineering Software contains multiple vulnerabilities in credential storage, authentication, and access control that allow unauthorized users to access MELSEC iQ-R/F/L series CPU modules, OPC UA server modules, and view/execute programs or project files without permission. Affected software includes GX Works3, GX Works2, GX Developer, GT Designer3 Version1, MT Works2, MX OPC UA Module Configurator-R, and Motion Control Settings. Vulnerabilities stem from hardcoded credentials, cleartext password storage, insufficient input validation, and weak security key management.
What this means
What could happen
An attacker with network access to engineering workstations or OPC UA interfaces could steal credentials, access control logic and process data without permission, and modify PLC programs to alter setpoints or halt operations. This directly threatens the integrity of water/power distribution systems controlled by affected MELSEC CPUs.
Who's at risk
Water utilities and electric utilities operating MELSEC iQ-R, iQ-F, or iQ-L series programmable logic controllers (PLCs) are affected, particularly those using GX Works3 for engineering and maintenance. Any facility with engineering workstations running affected Mitsubishi software versions, or MELSEC iQ-R OPC UA servers exposed to networked clients. Small and mid-size utilities with limited software inventory tracking may not realize they are running vulnerable versions.
How it could be exploited
An attacker gains network access to an engineering workstation running affected GX Works3, GX Works2, or GT Designer3 software, or connects to an exposed OPC UA server. They exploit weak credential storage or authentication mechanisms to extract stored passwords, security keys, or project files. Using these credentials, they access MELSEC iQ-R/F/L series CPUs via Modbus/TCP or OPC UA to read logic and modify control parameters.
Prerequisites
- Network access to engineering workstation or OPC UA server port (port 4840 or higher for OPC UA)
- No valid user credentials required for initial file/key extraction from workstation filesystem
- Knowledge of Mitsubishi MELSEC project file structure and security key formats
- Physical or network access to host machine where software runs
remotely exploitableno authentication required (for initial file access)low complexityaffects industrial control system integrityno patch available for many product versions (end-of-life)CVSS 9.1 critical severitymultiple credential storage vulnerabilities
Exploitability
Moderate exploit probability (EPSS 1.6%)
Affected products (13)
11 with fix2 EOL
ProductAffected VersionsFix Status
MX OPC UA Module Configurator-R: <=1.08J≤ 1.08J1.09K or later (software) + firmware v10 or later (OPC UA server module)
GT Designer3 Version1 (GOT2000): >=1.122C|<1.290C≥ 1.122C|<1.290C1.295H or later
MT Works2: >=1.100E|<1.200J≥ 1.100E|<1.200J1.205P or later
GX Works2: vers:all/*All versionsNo fix (EOL)
GX Developer: >=8.40S≥ 8.40SNo fix (EOL)
GX Works3: >=1.000A|<1.011M≥ 1.000A|<1.011M1.090U or later (CVE-2022-29826), 1.095Z or later (CVE-2022-29825, CVE-2022-29829), 1.096A or later (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)
GX Works3: >=1.015R|<1.087R≥ 1.015R|<1.087R1.090U or later (CVE-2022-29826), 1.095Z or later (CVE-2022-29825, CVE-2022-29829), 1.096A or later (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)
GX Works3: 1.090U1.090U1.090U or later (CVE-2022-29826), 1.095Z or later (CVE-2022-29825, CVE-2022-29829), 1.096A or later (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)
Remediation & Mitigation
0/12
Do now
0/4WORKAROUNDRestrict network access to engineering workstations and OPC UA servers using firewall rules; block external connections to port 4840 and engineering software communication ports
WORKAROUNDUse certificate-based authentication instead of username/password for OPC UA client connections to MELSEC iQ-R OPC UA server modules
WORKAROUNDEncrypt project files and security keys when sending or receiving over the Internet using TLS or equivalent
HARDENINGInstall and maintain antivirus software on all hosts running Mitsubishi engineering software
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate GX Works3 to version 1.096A or later, then enable security mode and set security version for project to '2'
HOTFIXUpdate MX OPC UA Module Configurator-R to version 1.09K or later and update OPC UA server module firmware to version 10 or later
HOTFIXUpdate GT Designer3 Version1 to version 1.295H or later and enable security key secure mode
HOTFIXUpdate Motion Control Settings to version 1.070Y or later and set security version for project to '2'
HOTFIXUpdate MT Works2 to version 1.205P or later and enable security key secure mode
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: GX Works2: vers:all/*, GX Developer: >=8.40S. Apply the following compensating controls:
HARDENINGIsolate engineering workstation networks from business/Internet-connected networks with firewalls and VLANs
HARDENINGImplement network segmentation to prevent unauthorized access to MELSEC CPUs from untrusted networks or hosts
HARDENINGFor GX Works2 and GX Developer (end-of-life, no patches available), enforce strict network access controls and consider migration to supported versions
CVEs (10)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/86b8218a-4c97-4c6a-b0ac-348761b084f5