Mitsubishi Electric GT and GOT Series Products

Plan PatchCVSS 7.5ICS-CERT ICSA-23-215-02Aug 3, 2023

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A cryptographic weakness in Mitsubishi Electric GOT2000 and GOT SIMPLE HMI terminal products, as well as GT Designer3 Version1 (GOT2000) and GT SoftGOT2000 engineering software, allows an attacker on the network to sniff encrypted password packets and decrypt them in plaintext. This affects GOT2000 models GT21, GT23, GT25, and GT27 running firmware version 01.49.000 or earlier, GOT SIMPLE models GS25 and GS21 running firmware 01.49.000 or earlier, and the engineering/emulation software versions 1.295H or earlier. Successful exploitation allows an attacker to obtain operator and engineer credentials, potentially enabling unauthorized control of connected industrial processes.

What this means

What could happen

An attacker on your network could intercept and decrypt passwords used by operators and engineers to access GOT HMI/SCADA systems, potentially allowing them to impersonate legitimate users and alter process parameters or halt production.

Who's at risk

Energy sector operators using Mitsubishi Electric GOT HMI/SCADA products (GOT2000, GOT SIMPLE, and GT Designer3/SoftGOT2000 engineering software) for process monitoring and control in power plants, substations, and distribution systems should prioritize this update. Any facility that uses GOT devices to display or control critical electrical or water processes is at risk.

How it could be exploited

An attacker with network access (internal LAN or remote if the device is Internet-exposed) can sniff unencrypted password packets between the GOT device and connected engineering workstations or other systems. The attacker can then decrypt the password to gain unauthorized access to the HMI to control connected PLCs and processes.

Prerequisites

Network access to the same LAN as the GOT device, or remote access if the device is exposed to the Internet
Ability to capture network traffic (packet sniffer running on the attacker's computer or a compromised device on the network)
No authentication or special privileges required to perform the attack

Remotely exploitable if device is Internet-exposedNo authentication required to sniff and decrypt passwordsLow attack complexityAffects HMI/SCADA systems that control physical processesHigh CVSS score (7.5)

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

GT Designer3 Version1 (GOT2000): <= 1.295H≤ 1.295H1.300N

GT SoftGOT2000: <= 1.295H≤ 1.295H1.300N

GOT2000 (Models GT21, GT23, GT25, GT27): <= 01.49.000≤ 01.49.00001.50.000

GOT SIMPLE (Models GS25, GS21): <= 01.49.000≤ 01.49.00001.50.000

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDConfigure IP filter function on affected products to restrict access to trusted engineering workstations and operator consoles only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

GT Designer3 Version1 (GOT2000): <= 1.295H

HOTFIXUpdate GT Designer3 Version1 (GOT2000) to v1.300N or later

HOTFIXUpdate GT SoftGOT2000 to v1.300N or later

HOTFIXUpdate GOT2000 (Models GT21, GT23, GT25, GT27) to v01.50.000 or later

GOT SIMPLE (Models GS25, GS21): <= 01.49.000

HOTFIXUpdate GOT SIMPLE (Models GS25, GS21) to v01.50.000 or later

Long-term hardening

0/3

HARDENINGEncrypt communication paths between GOT devices and connected systems using a VPN or equivalent encryption

HARDENINGIsolate GOT HMI/SCADA network from business network and Internet with firewalls and network segmentation

HARDENINGInstall antivirus software on engineering workstations that access the affected products

CVEs (1)

CVE-2023-0525

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed5fd13f-9e0e-4764-aab2-0b86be9a739a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.