Mitsubishi Electric MELSEC WS Series Ethernet Interface Module
Monitor5.9ICS-CERT ICSA-24-030-03Jan 30, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A credential validation flaw (CWE-294) in the Mitsubishi Electric MELSEC WS0-GETH00200 Ethernet Interface Module allows an unauthorized attacker to log in to the module and disclose or tamper with PLC programs and parameters. All versions of the module are affected. The attack has high complexity, and no public exploitation has been reported. Mitsubishi Electric has not released a patch and recommends network segmentation, firewall rules, VPN encryption, and restricted access as mitigations.
What this means
What could happen
An attacker with access to the Ethernet interface module could log in without valid credentials and modify PLC programs, parameters, or setpoints. This could disrupt energy production or distribution by altering control logic or process parameters.
Who's at risk
Electric utilities and energy generation facilities using Mitsubishi Electric MELSEC WS Series Ethernet Interface Module (WS0-GETH00200) in any version for remote access or LAN-connected PLC programming and monitoring are affected. This includes any PLC running on WS modules that perform critical control functions such as generation control, substation switching, or distribution management.
How it could be exploited
An attacker on the network must craft a login request to the Ethernet interface module on port 502 (Modbus) or the web interface port. The module accepts unauthenticated or improperly validated login attempts due to a credential validation flaw (CWE-294: Improper Implementation of Authentication Algorithm). Once logged in, the attacker can read and write program code and parameter values.
Prerequisites
- Network access to the WS0-GETH00200 module (typically reachable from the LAN or across network segments if not properly firewalled)
- No valid credentials required
- High attack complexity (the advisory notes this, likely requiring knowledge of module configuration or timing)
Remotely exploitableNo authentication requiredNo patch availableAffects energy sector critical infrastructureAllows tampering with control logic and process setpoints
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (1)
ProductAffected VersionsFix Status
WS0-GETH00200: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGIsolate affected Ethernet interface modules on a dedicated control network segment; implement firewall rules to restrict access to only authorized engineering workstations and HMI systems
WORKAROUNDDeploy a VPN or encrypted tunnel for any remote access to these modules
HARDENINGBlock all network access from untrusted networks and hosts using firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor for unauthorized login attempts to the module; log all login events and access to program/parameter changes
HOTFIXContact Mitsubishi Electric for a firmware update; no current fix is listed, but request inclusion in the vendor's patch roadmap
Mitigations - no patch available
0/1WS0-GETH00200: vers:all/* has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGRestrict physical access to the modules and any connected network devices in the control area
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cdc78736-53f0-4e96-b935-4576f049c43e