Mitsubishi Electric MELSOFT MaiLab and MELSOFT VIXIO (Update A)

MonitorCVSS 5.9ICS-CERT ICSA-24-200-01Jul 18, 2024

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

MELSOFT MaiLab and VIXIO are engineering software tools used to develop and configure Mitsubishi Electric industrial control systems. The vulnerability is a denial-of-service flaw (CWE-347: Improper Verification of Cryptographic Signature) in affected versions. A remote attacker with network access to an engineering workstation can send a specially crafted request that causes the software to crash or become unresponsive. The flaw has high attack complexity, requiring specific conditions to exploit, and no public exploitation has been reported. This vulnerability does not affect running control systems or field devices, only the engineering software used to configure them.

What this means

What could happen

An attacker could cause MELSOFT MaiLab or VIXIO engineering software to become unresponsive or crash, interrupting development, testing, or configuration work on Mitsubishi Electric industrial systems.

Who's at risk

Mitsubishi Electric customers in the energy sector and other industries who use MELSOFT MaiLab or VIXIO software for engineering and configuration of industrial control systems. The impact is highest for organizations that depend on continuous engineering workstation availability for operations or safety-critical system changes.

How it could be exploited

An attacker on the network sends a specially crafted request to the affected MELSOFT application. The high attack complexity suggests the request must meet specific conditions (such as particular system state or network timing), but once successful, causes a denial-of-service condition that crashes the engineering workstation.

Prerequisites

Network access to the engineering workstation running MELSOFT MaiLab or VIXIO
The affected software version must be installed (MaiLab 1.00A–1.05F or VIXIO 1.00A–1.03D)
No authentication required to trigger the denial-of-service condition

remotely exploitableno authentication requiredhigh attack complexityaffects engineering workstations that manage critical systems

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

MELSOFT MaiLab SW1DND-MAILABPR-M: >=1.00A|<1.05F≥ 1.00A|<1.05F1.06G+

MELSOFT MaiLab SW1DND-MAILAB-M: >=1.00A|<1.05F≥ 1.00A|<1.05F1.06G+

MELSOFT VIXIO SW1DND-AIVILE-M: >=1.00A|<1.03D≥ 1.00A|<1.03D1.04E+

MELSOFT VIXIO SW1DND-AIVIIN-M: >=1.00A|<1.03D≥ 1.00A|<1.03D1.04E+

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to engineering workstations running MELSOFT with a firewall; block connections from untrusted networks and only allow access from trusted engineering stations

WORKAROUNDUse a VPN when Internet access to engineering workstations is required

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSOFT MaiLab to version 1.06G or later

HOTFIXUpdate MELSOFT VIXIO to version 1.04E or later

Long-term hardening

0/2

HARDENINGRestrict physical access to PCs running MELSOFT and the networks they connect to

HARDENINGTrain users to avoid clicking links or opening attachments from untrusted emails or messages

CVEs (1)

CVE-2023-4807

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/197ed6b7-6534-4c11-9cdc-1c955db3a5b8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.