Malicious Code Execution Vulnerability in FA Engineering Software Products
CVE-2023-4088

9.3CRITICAL

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Gx Works3
Al-pcs/win-e
Cpu Module Logging Configuration Tool
Ezsocket
Vendor
CVE Published:
20 September 2023

Summary

A vulnerability exists in multiple FA engineering software products of Mitsubishi Electric Corporation due to incorrect default permissions settings. This issue allows a malicious local attacker to execute malicious code, which can lead to various harmful consequences such as information disclosure, data tampering, deletion, or even a denial-of-service (DoS) condition, especially if the software is installed in a non-default directory. Proper configuration and adherence to security best practices are recommended to mitigate this risk.

Affected Version(s)

AL-PCS/WIN-E all versions

CPU Module Logging Configuration Tool all versions

Data Transfer all versions

References

https://www.mitsubishielectric.com/en/psirt/vulnerability...
vendor-advisory
https://jvn.jp/vu/JVNVU96447193/index.html
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-2...
government-resource

CVSS V3.1

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.