Mitsubishi Electric Factory Automation Products
Act NowCVSS 7.5ICS-CERT ICSA-24-004-02Jan 4, 2024
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Mitsubishi Electric OPC UA server products contain information disclosure and denial-of-service vulnerabilities (CWE-208, CWE-415, CWE-843). These products are commonly deployed as bridges between Mitsubishi programmable logic controllers and supervisory control and monitoring software. An unauthenticated attacker with network access can send malicious requests to trigger information leakage or cause the server to become unresponsive. This would disrupt real-time communication for process monitoring and control operations.
What this means
What could happen
An attacker could disclose information from these OPC UA servers or cause them to stop responding, disrupting communication between plant control systems and monitoring software that depends on real-time data for operations.
Who's at risk
Energy utilities and manufacturing facilities using Mitsubishi Electric factory automation products should focus on this issue. It affects OPC UA servers that bridge plant control systems (PLCs like FX5 series, MELSEC iQ-R) and supervisory software. The MX OPC Server UA in MC Works64, OPC UA Server Unit modules, FX5-OPC gateways, GT SoftGOT2000 HMI, and OPC UA Data Collector are all affected. Any facility relying on these products for real-time monitoring or control data interchange is at risk.
How it could be exploited
An attacker on the network sends specially crafted requests to the OPC UA server ports without authentication. The server processes the request in an unsafe way, either leaking sensitive data or crashing. No user interaction is required.
Prerequisites
- Network access to the OPC UA server port (typically 4840 or configured port)
- No valid credentials required
- Server must be reachable from attacker's network segment
remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)no patch available for most productsaffects industrial automation and SCADA monitoring
Exploitability
Likely to be exploited — EPSS score 88.4%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (5)
1 with fix4 EOL
ProductAffected VersionsFix Status
FX5-OPC: <=1.006_≤ 1.0061.010+
OPC UA Server Unit: vers:all/*All versionsNo fix (EOL)
GT SoftGOT2000: >=1.275M|<1.290C≥ 1.275M|<1.290CNo fix (EOL)
OPC UA Data Collector: <=1.04E≤ 1.04ENo fix (EOL)
MX OPC Server UA (Software packaged with MC Works64): >=3.05F_Packaged_with_MC_Works64_4.03D≥ 3.05F Packaged with MC Works64 4.03DNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/4WORKAROUNDBlock access to OPC UA server ports from untrusted networks using firewalls; restrict to internal LAN only
HARDENINGEnable security policy in OPC UA Server Unit configuration (set to something other than 'None')
HARDENINGConfigure IP filter on FX5-OPC to allow access only from trusted engineering workstations and control systems
HARDENINGValidate and do not import untrusted certificates into OPC UA applications
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpgrade FX5-OPC to version 1.010 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: OPC UA Server Unit: vers:all/*, GT SoftGOT2000: >=1.275M|<1.290C, OPC UA Data Collector: <=1.04E, MX OPC Server UA (Software packaged with MC Works64): >=3.05F_Packaged_with_MC_Works64_4.03D. Apply the following compensating controls:
HARDENINGUse VPN or restricted network access when OPC UA servers must be accessible over wide-area networks
HARDENINGRestrict physical access to computers and network equipment on the same LAN segment as OPC UA servers
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6e3b7fd4-da17-4b6f-a5f2-dc22f2fdbd13Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.