Remote code execution in Mitsubishi Electric FA Engineering Software Products



Risk High
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2023-5247
CWE-ID CWE-73
Exploitation vector Network
Public exploit N/A
Vulnerable software
 GX Works3
Client/Desktop applications / Software for system administration

MELSOFT iQ AppPortal
Client/Desktop applications / Software for system administration

MELSOFT Navigator
Client/Desktop applications / Software for system administration

Motion Control Setting
Client/Desktop applications / Software for system administration

Vendor Mitsubishi Electric

Security Bulletin

This security bulletin contains one high risk vulnerability.

1) External Control of File Name or Path

EUVDB-ID: #VU83865

Risk: High

CVSSv4.0: 5.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2023-5247

CWE-ID: CWE-73 - External Control of File Name or Path

Exploit availability: No

Description

The vulnerability allows a remote attacker to execute arbitrary code on the system.

The vulnerability exists due to external control of file name or path. A remote attacker can trick a victim to open a specially crafted project file and execute arbitrary code on the target system.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

GX Works3: All versions

MELSOFT iQ AppPortal: All versions

MELSOFT Navigator: All versions

Motion Control Setting: All versions

CPE2.3 External links

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-016_en.pdf
https://jvn.jp/vu/JVNVU93383160/
https://www.cisa.gov/news-events/ics-advisories/icsa-23-334-04


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###