Improper Length Parameter Handling in Mitsubishi Electric FA Engineering Software
CVE-2021-20588

7.5HIGH

Key Information:

Vendor

Mitsubishi Electric Corporation

Status
Cpu Module Logging Configuration Tool
Cw Configurator
Data Transfer
Ezsocket
Vendor
CVE Published:
19 February 2021

What is CVE-2021-20588?

An improper handling of length parameter inconsistency in Mitsubishi Electric FA Engineering Software allows remote, unauthenticated attackers to create a denial of service (DoS) condition. By spoofing responses from MELSEC, GOT, or FREQROL devices and sending crafted reply packets, an attacker may disrupt service and potentially execute malicious code on the victim's machine, even though exploitation has not been consistently demonstrated.

Affected Version(s)

CPU Module Logging Configuration Tool 1.112R and prior

CW Configurator 1.011M and prior

Data Transfer 3.44W and prior

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...
vendor-advisory
https://jvn.jp/vu/JVNVU92330101
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-21-0...
government-resource

EPSS Score

5% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.