Mitsubishi Electric FA Engineering Software (Update C)

Plan PatchCVSS 9.1ICS-CERT ICSA-22-333-05Dec 5, 2022

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric FA Engineering Software contains multiple vulnerabilities in credential storage, authentication, and access control that allow unauthorized users to access MELSEC iQ-R/F/L series CPU modules, OPC UA server modules, and view/execute programs or project files without permission. Affected software includes GX Works3, GX Works2, GX Developer, GT Designer3 Version1, MT Works2, MX OPC UA Module Configurator-R, and Motion Control Settings. Vulnerabilities stem from hardcoded credentials, cleartext password storage, insufficient input validation, and weak security key management.

What this means

What could happen

An attacker with network access to engineering workstations or OPC UA interfaces could steal credentials, access control logic and process data without permission, and modify PLC programs to alter setpoints or halt operations. This directly threatens the integrity of water/power distribution systems controlled by affected MELSEC CPUs.

Who's at risk

Water utilities and electric utilities operating MELSEC iQ-R, iQ-F, or iQ-L series programmable logic controllers (PLCs) are affected, particularly those using GX Works3 for engineering and maintenance. Any facility with engineering workstations running affected Mitsubishi software versions, or MELSEC iQ-R OPC UA servers exposed to networked clients. Small and mid-size utilities with limited software inventory tracking may not realize they are running vulnerable versions.

How it could be exploited

An attacker gains network access to an engineering workstation running affected GX Works3, GX Works2, or GT Designer3 software, or connects to an exposed OPC UA server. They exploit weak credential storage or authentication mechanisms to extract stored passwords, security keys, or project files. Using these credentials, they access MELSEC iQ-R/F/L series CPUs via Modbus/TCP or OPC UA to read logic and modify control parameters.

Prerequisites

Network access to engineering workstation or OPC UA server port (port 4840 or higher for OPC UA)
No valid user credentials required for initial file/key extraction from workstation filesystem
Knowledge of Mitsubishi MELSEC project file structure and security key formats
Physical or network access to host machine where software runs

remotely exploitableno authentication required (for initial file access)low complexityaffects industrial control system integrityno patch available for many product versions (end-of-life)CVSS 9.1 critical severitymultiple credential storage vulnerabilities

Exploitability

Some exploitation risk — EPSS score 1.2%

Affected products (13)

11 with fix2 EOL

ProductAffected VersionsFix Status

MX OPC UA Module Configurator-R: <=1.08J≤ 1.08J1.09K+ (software) + firmware v10+ (OPC UA server module)

GT Designer3 Version1 (GOT2000): >=1.122C|<1.290C≥ 1.122C|<1.290C1.295H+

MT Works2: >=1.100E|<1.200J≥ 1.100E|<1.200J1.205P+

GX Works2: vers:all/*All versionsNo fix (EOL)

GX Developer: >=8.40S≥ 8.40SNo fix (EOL)

GX Works3: >=1.000A|<1.011M≥ 1.000A|<1.011M1.090U+ (CVE-2022-29826), 1.095Z+ (CVE-2022-29825, CVE-2022-29829), 1.096A+ (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)

GX Works3: >=1.015R|<1.087R≥ 1.015R|<1.087R1.090U+ (CVE-2022-29826), 1.095Z+ (CVE-2022-29825, CVE-2022-29829), 1.096A+ (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)

GX Works3: 1.090U1.090U1.090U+ (CVE-2022-29826), 1.095Z+ (CVE-2022-29825, CVE-2022-29829), 1.096A+ (CVE-2022-25164, CVE-2022-29830, CVE-2022-29831)

Remediation & Mitigation

0/12

Do now

0/4

WORKAROUNDRestrict network access to engineering workstations and OPC UA servers using firewall rules; block external connections to port 4840 and engineering software communication ports

WORKAROUNDUse certificate-based authentication instead of username/password for OPC UA client connections to MELSEC iQ-R OPC UA server modules

WORKAROUNDEncrypt project files and security keys when sending or receiving over the Internet using TLS or equivalent

HARDENINGInstall and maintain antivirus software on all hosts running Mitsubishi engineering software

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate GX Works3 to version 1.096A or later, then enable security mode and set security version for project to '2'

HOTFIXUpdate MX OPC UA Module Configurator-R to version 1.09K or later and update OPC UA server module firmware to version 10 or later

HOTFIXUpdate GT Designer3 Version1 to version 1.295H or later and enable security key secure mode

HOTFIXUpdate Motion Control Settings to version 1.070Y or later and set security version for project to '2'

HOTFIXUpdate MT Works2 to version 1.205P or later and enable security key secure mode

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: GX Works2: vers:all/*, GX Developer: >=8.40S. Apply the following compensating controls:

HARDENINGIsolate engineering workstation networks from business/Internet-connected networks with firewalls and VLANs

HARDENINGImplement network segmentation to prevent unauthorized access to MELSEC CPUs from untrusted networks or hosts

HARDENINGFor GX Works2 and GX Developer (end-of-life, no patches available), enforce strict network access controls and consider migration to supported versions

CVEs (10)

CVE-2022-25164 CVE-2022-29826 CVE-2022-29825 CVE-2022-29831 CVE-2022-29833 CVE-2022-29827 CVE-2022-29828 CVE-2022-29829 CVE-2022-29830 CVE-2022-29832

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/86b8218a-4c97-4c6a-b0ac-348761b084f5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.