1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: FA Engineering Software Products
- Vulnerability: External Control of File Name or Path
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a malicious attacker to execute malicious code by tricking legitimate users to open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports the following versions of FA Engineering Software Products are affected:
- GX Works3: All versions
- MELSOFT iQ AppPortal: All versions
- MELSOFT Navigator: All versions
- Motion Control Setting (Software packaged with GX Works3): All versions
3.2 Vulnerability Overview
3.2.1 External Control of File Name or Path CWE-73
Malicious code execution vulnerability due to external control of file name or path exists in multiple FA engineering software products. This vulnerability could allow an attacker to execute a malicious code by having legitimate users open a specially crafted project file, which could result in information disclosure, tampering and deletion, or a denial-of-service condition.
CVE-2023-5247 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan