CVE-2023-6942

EUVD-2023-59139

30.01.2024, 09:15

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 to 5.92, GT Designer3 Version1(GOT1000) versions 1.325P and prior, GT Designer3 Version1(GOT2000) versions 1.320J and prior, GX Works2 versions 1.11M to 1.626C, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E to 2.102G, MT Works2 versions 1.190Y and prior, MX Component versions 4.00A to 5.007H and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Mitsubishi	CNA	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 67%

Affected Products (NVD)

Vendor	Product	Version
mitsubishielectric	ezsocket	3.0 ≤
mitsubishielectric	fr_configurator2	*
mitsubishielectric	got1000	*
mitsubishielectric	got2000	*
mitsubishielectric	gx_works2	1.11m ≤
mitsubishielectric	gx_works3	*
mitsubishielectric	mc_works64	*
mitsubishielectric	melsoft_navigator	1.04e ≤
mitsubishielectric	mt_works2	*
mitsubishielectric	mx_component	4.00a ≤

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-306 - Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

References

https://jvn.jp/vu/JVNVU95103362

https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf

https://jvn.jp/vu/JVNVU95103362

https://www.cisa.gov/news-events/ics-advisories/icsa-24-030-02

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-020_en.pdf