Mitsubishi Electric Multiple FA Engineering Software Products (Update E)

Monitor6ICS-CERT ICSA-24-135-04May 14, 2024

Attack VectorLocal

Auth RequiredLow

ComplexityHigh

User InteractionRequired

Summary

Multiple vulnerabilities in Mitsubishi Electric FA engineering software products allow a local attacker to cause a Windows blue screen denial-of-service or gain system privileges and execute arbitrary commands. The vulnerabilities are triggered through malformed files or user interaction on Windows systems running these tools. Affected products include CPU Module Logging Configuration Tool, GX Works2/3, GT Designer, iQ Works, MX Component, RT ToolBox3, and numerous other engineering and configuration utilities used to program Mitsubishi PLCs, drives, and network devices. The vendor has released patches for most products but states no fixes are available for several legacy tools including FR Configurator SW3, GX Developer, MI Configurator, and MR Configurator.

What this means

What could happen

An attacker with local access could cause the Windows system to crash (blue screen) or gain system privileges to run arbitrary commands on the engineering workstation running these tools, potentially compromising control logic or process configurations.

Who's at risk

Energy sector operators who use Mitsubishi Electric FA (factory automation) engineering software tools, including GX Works2/3, GT Designer, iQ Works, MX Component, and various configurators for programmable logic controllers (PLCs), motion controllers, and human machine interfaces (HMIs). Affects engineering workstations and configuration tools used to program and maintain control systems.

How it could be exploited

An attacker with local user access runs a malicious file or opens a crafted document on a Windows system running one of these FA engineering tools. The vulnerability in the tool allows code execution with elevated privileges or triggers a kernel crash, giving the attacker system-level access or denying use of the engineering workstation.

Prerequisites

Local user account on the Windows system running the vulnerable tool
User interaction required (opening/executing a malicious file or link)
Vulnerability triggered through file parsing or application logic

Local code execution required (reduces risk)User interaction required to triggerAffects engineering workstations (not deployed in field devices)No patch available for several products (FR Configurator SW3, GX Developer, MI Configurator, MR Configurator, MX OPC Server, etc.)High number of affected Mitsubishi products

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (37)

37 pending

ProductAffected VersionsFix Status

CPU Module Logging Configuration Tool: <="1.154L"≤ "1.154L"No fix yet

CSGL (GX Works2 connection configuration): <="2.5"≤ "2.5"No fix yet

CW Configurator: <="1.019V"≤ "1.019V"No fix yet

Data Transfer: <="3.58L"≤ "3.58L"No fix yet

Data Transfer Classic: <="1.00A"≤ "1.00A"No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict physical and local user access to computers running these engineering software products to authorized engineering staff only

HARDENINGInstall and maintain antivirus software on all Windows systems running these tools

HARDENINGTrain engineering staff not to open untrusted files or click untrusted links on systems running these tools

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all Mitsubishi Electric FA engineering tools to the patched versions listed in the vendor advisory (see product_fixes)

Long-term hardening

0/1

HARDENINGIsolate engineering workstations on a separate network segment with restricted access controls

CVEs (12)

CVE-2023-51776 CVE-2023-51777 CVE-2023-51778 CVE-2024-22102 CVE-2024-22103 CVE-2024-22104 CVE-2024-22105 CVE-2024-22106 CVE-2024-25086 CVE-2024-25087 CVE-2024-25088 CVE-2024-26314

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c4e4b236-2939-4e1f-bb57-c3b551e82439