OTPulse

Mitsubishi Electric FA Engineering Software Products

MonitorCVSS 7.8ICS-CERT ICSA-23-334-04Nov 30, 2023
Mitsubishi ElectricEnergy
Attack path
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Mitsubishi Electric FA engineering software products (GX Works3, MELSOFT Navigator, iQ AppPortal, Motion Control Setting) contain an unsafe file handling vulnerability (CWE-73) that allows malicious code execution when a user opens a specially crafted project file. All versions are affected. Successful exploitation could result in information disclosure (theft of proprietary control logic and designs), tampering (modification of process parameters or control logic), or denial-of-service (deletion of project files or workstation compromise). No vendor patch is available; Mitsubishi Electric recommends mitigation through user education, network isolation, and antivirus deployment.

What this means
What could happen
An attacker could execute arbitrary code on an engineering workstation by embedding malicious logic in a project file, allowing them to steal process designs, modify control logic, or disrupt engineering activities.
Who's at risk
Engineering teams and plant automation specialists at electric utilities and energy facilities who use Mitsubishi FA software (GX Works3, MELSOFT Navigator, iQ AppPortal, Motion Control Setting) for PLC and motion controller programming and commissioning. This affects workstations used to design, test, and deploy control logic for generating units, substations, and distributed energy resources.
How it could be exploited
An attacker crafts a malicious Mitsubishi project file (.gpd, .gx3, or similar) containing embedded executable code. When an engineer or technician opens the file in GX Works3, MELSOFT Navigator, iQ AppPortal, or Motion Control Setting, the application executes the malicious code with the user's privileges. The attacker typically delivers this file via email, USB, or file sharing to social engineer the victim into opening it.
Prerequisites
  • File opening by a user (social engineering or physical access required)
  • User with permissions to run Mitsubishi FA engineering software
  • Specially crafted project file in a format recognized by the affected software
No patch availableLow attack complexityRequires user interaction (opening untrusted file)Affects engineering/commissioning tools used to design safety-critical logic
Exploitability
Unlikely to be exploited — EPSS score 0.1%
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
MELSOFT iQ AppPortal: vers:all/*All versionsNo fix (EOL)
MELSOFT Navigator: vers:all/*All versionsNo fix (EOL)
GX Works3: vers:all/*All versionsNo fix (EOL)
Motion Control Setting (Software packaged with GX Works3): vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDDo not open project files from untrusted sources, including email attachments and downloads from unfamiliar websites
HARDENINGRestrict file sharing and USB access to engineering workstations; validate all incoming project files through a secure transfer process
Schedule — requires maintenance window
0/3

Patching may require device reboot — plan for process interruption

HARDENINGInstall and maintain antivirus software on all computers running Mitsubishi FA engineering products
HARDENINGIsolate engineering workstations on a separate LAN segment; block remote login from untrusted networks using firewall rules
HARDENINGImplement network-based controls: use firewall and VPN to restrict access to engineering workstations to trusted users only
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: MELSOFT iQ AppPortal: vers:all/*, MELSOFT Navigator: vers:all/*, GX Works3: vers:all/*, Motion Control Setting (Software packaged with GX Works3): vers:all/*. Apply the following compensating controls:
HARDENINGEducate engineering staff on social engineering and phishing tactics to recognize malicious file delivery attempts
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f01b2a65-d566-472c-9034-8ec0d01bef95

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.