Heap-Based Buffer Overflow in Mitsubishi Electric FA Engineering Software
CVE-2021-20587

7.5HIGH

Key Information:

Vendor

Mitsubishi Electric Corporation

Status
Cpu Module Logging Configuration Tool
Cw Configurator
Data Transfer
Ezsocket
Vendor
CVE Published:
19 February 2021

What is CVE-2021-20587?

A heap-based buffer overflow vulnerability identified in Mitsubishi Electric's FA Engineering Software allows remote unauthenticated attackers to potentially disrupt software functionality and cause denial of service (DoS) conditions. The flaw may enable an attacker to execute harmful programs on the underlying personal computer by sending specially crafted packets that spoof the MELSEC, GOT, or FREQROL systems. Without proper mitigations, organizations using affected versions are left at risk.

Affected Version(s)

CPU Module Logging Configuration Tool 1.112R and prior

CW Configurator 1.011M and prior

Data Transfer 3.44W and prior

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...
vendor-advisory
https://jvn.jp/vu/JVNVU92330101
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-21-0...
government-resource

EPSS Score

11% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.