Mitsubishi Electric MELSOFT iQ AppPortal

Act Now9.8ICS-CERT ICSA-23-052-01Feb 27, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MELSOFT iQ AppPortal versions 1.00A through 1.29F contain multiple vulnerabilities in HTTP request handling and authentication logic (CWE-444, CWE-345). These flaws could allow an attacker on the network to bypass authentication, disclose sensitive information, cause denial-of-service, or bypass IP address-based access controls. The vulnerabilities are not remotely exploitable without network access to the application server, and no public exploits are known. Mitsubishi Electric recommends updating to version 1.32J or later. Until patching is possible, disable mod_proxy and mod_proxy_ajp features, restrict network access via firewall to trusted hosts only, use VPN for remote access, and apply the principle of least privilege to user accounts.

What this means

What could happen

An attacker with network access to MELSOFT iQ AppPortal could bypass authentication, extract sensitive data, or prevent the application from functioning, potentially disrupting engineering access to plant automation systems.

Who's at risk

Energy sector utilities and any organization using MELSOFT iQ AppPortal for PLC and automation engineering. This software is typically used by control engineers and automation specialists on engineering workstations to configure and manage Mitsubishi Electric programmable logic controllers (PLCs) and other industrial devices.

How it could be exploited

An attacker on the network sends a crafted request to the AppPortal application server. The vulnerability in HTTP request handling (CWE-444) and weak authentication logic (CWE-345) allows the attacker to bypass credential checks or spoof trusted IP addresses, gaining unauthorized access without valid credentials.

Prerequisites

Network access to the MELSOFT iQ AppPortal HTTP/HTTPS port
No valid credentials required

remotely exploitableno authentication requiredlow complexitycritical severity (CVSS 9.8)affects engineering access and plant automation

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

MELSOFT iQ AppPortal (SW1DND-IQAPL-M): v1.00A to 1.29F≥ 1.00A | ≤ 1.29F1.32J or later

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDDisable mod_proxy and mod_proxy_ajp in VisualSVN Server settings

HARDENINGRestrict network access to AppPortal using firewall rules; only allow connections from trusted engineering networks and workstations

HARDENINGUse VPN for any remote access to systems with AppPortal installed

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSOFT iQ AppPortal to version 1.32J or later

HARDENINGMinimize user privilege levels for AppPortal users to engineering or read-only roles where appropriate

Long-term hardening

0/1

HARDENINGInstall and maintain current antivirus software on all computers running AppPortal

CVEs (2)

CVE-2023-26377 CVE-2023-31813

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a2d30929-e3eb-4582-9ce9-6dfe1c09debb