Mitsubishi Electric has released security updates to address multiple vulnerabilities in the following products:

• C Controller Interface Module Utility, all versions
• C Controller Module Setting and Monitoring Tool, all versions
• C Controller module setting and monitoring tool, All versions
• CPU Module Logging Configuration Tool, Versions 1.112R and prior
• CW Configurator, Versions 1.011M and prior
• Data Transfer, Versions 3.44W and prior
• EZSocket, All versions
• FR Configurator, All versions
• FR Configurator SW3, All versions
• FR Configurator2, Versions 1.24A and prior
• GT Designer3 Version1(GOT1000), Versions 1.250L and prior
• GT Designer3 Version1(GOT2000), Versions 1.250L and prior
• GT SoftGOT1000 Version3, Versions 3.245F and prior
• GT SoftGOT2000 Version1, Versions 1.250L and prior
• GX Configurator-DP, Versions 7.14Q and prior
• GX Configurator-QP, All versions
• GX Developer, Versions 8.506C and prior
• GX Explorer, All versions
• GX IEC Developer, All versions
• GX LogViewer, Versions 1.115U and prior
• GX RemoteService-I, All versions
• GX Works2, Versions 1.597X and prior
• GX Works3, Versions 1.070Y and prior
• iQ Monozukuri ANDON (Data Transfer), All versions
• iQ Monozukuri Process Remote Monitoring (Data Transfer), All versions
• M_CommDTM-HART, All versions
• M_CommDTM-IO-Link, All versions
• MELFA-Works, Versions 4.4 and prior
• MELSEC WinCPU Setting Utility, All versions
• MELSOFT EM Software Development Kit (EM Configurator), All versions
• MELSOFT Navigator, Versions 2.74C and prior
• MH11 SettingTool Version2, Versions 2.004E and prior
• MI Configurator, All versions

Threats:

An attacker could exploit these vulnerabilities by conducting a denial of service attack (DoS).

Best practice and Recommendations:

The CERT team encourages users to review Mitsubishi Electric security advisory and apply the necessary updates:

• Malicious Code Execution Vulnerability in Multiple FA Engineering Software Products (mitsubishielectric.com)
• MITSUBISHI ELECTRIC FA Global Website