Multiple vulnerabilities in Mitsubishi Electric FA Engineering Software
| Risk | High |
| Patch available | NO |
| Number of vulnerabilities | 9 |
| CVE-ID | CVE-2022-25164 CVE-2022-29825 CVE-2022-29827 CVE-2022-29828 CVE-2022-29829 CVE-2022-29830 CVE-2022-29831 CVE-2022-29832 CVE-2022-29833 |
| CWE-ID | CWE-312 CWE-259 CWE-321 CWE-522 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
GX Works3 Client/Desktop applications / Software for system administration MX OPC UA Module Configurator-R Server applications / Other server solutions |
| Vendor | Mitsubishi Electric |
Security Bulletin
This security bulletin contains information about 9 vulnerabilities.
1) Cleartext storage of sensitive information
EUVDB-ID: #VU69740
Risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-25164
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to cleartext storage of sensitive information. A remote attacker can disclose sensitive information.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
MX OPC UA Module Configurator-R: All versions
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Use of Hard-coded Password
EUVDB-ID: #VU69741
Risk: Low
CVSSv3.1: 5.1 [CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29825
CWE-ID:
CWE-259 - Use of Hard-coded Password
Exploit availability: No
DescriptionThe vulnerability allows a local user to compromise the target system.
The vulnerability exists due to the software contains a hard-coded password. A local user can disclose sensitive information in the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU69743
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29827
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected product has a hardcoded cryptographic key. A remote attacker can disclose sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU69744
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29828
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected product has a hardcoded cryptographic key. A remote attacker can disclose sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU69745
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29829
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected product has a hardcoded cryptographic key. A remote attacker can disclose sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Use of Hard-coded Cryptographic Key
EUVDB-ID: #VU69746
Risk: Medium
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29830
CWE-ID:
CWE-321 - Use of Hard-coded Cryptographic Key
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the affected product has a hardcoded cryptographic key. A remote attacker can disclose sensitive information on the system.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.000A - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Use of Hard-coded Password
EUVDB-ID: #VU69747
Risk: Low
CVSSv3.1: 6.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29831
CWE-ID:
CWE-259 - Use of Hard-coded Password
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the software contains a hard-coded password. A remote attacker can obtain information about the safety CPU module project file.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.015R - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
8) Cleartext storage of sensitive information
EUVDB-ID: #VU69748
Risk: Low
CVSSv3.1: 3.4 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29832
CWE-ID:
CWE-312 - Cleartext Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to cleartext storage of sensitive information. A remote attacker can obtain information about the safety CPU module project file.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.015R - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
9) Insufficiently protected credentials
EUVDB-ID: #VU69749
Risk: Medium
CVSSv3.1: 6.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:U/RC:C]
CVE-ID: CVE-2022-29833
CWE-ID:
CWE-522 - Insufficiently Protected Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to insufficiently protected credentials. A remote attacker can gain access to sensitive information.
MitigationCybersecurity Help is currently unaware of any official solution to address this vulnerability.
Vulnerable software versionsGX Works3: 1.015R - 1.087R
External linkshttp://ics-cert.us-cert.gov/advisories/icsa-22-333-05
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
