Denial-of-Service (DoS) Vulnerability in MELSEC Series
CVE-2023-4699

9.1CRITICAL

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Melsec-f Series Fx3u-16mt/es
Melsec-f Series Fx3u-32mt/es
Melsec-f Series Fx3u-48mt/es
Melsec-f Series Fx3u-64mt/es
Vendor
CVE Published:
6 November 2023

Badges

👾 Exploit Exists🟡 Public PoC

Summary

The vulnerability in Mitsubishi Electric's MELSEC series allows unauthorized remote access to execute arbitrary commands by sending tailored packets to affected products. This flaw can lead to significant risks, including unauthorized reading or modification of control programs and potential denial-of-service conditions. Attackers can exploit this vulnerability to reset devices to factory settings or disrupt operations altogether, highlighting urgent security considerations for users of these industrial control systems.

Affected Version(s)

MELSEC iQ-F Series FX5-40SSC-G all versions

MELSEC iQ-F Series FX5-40SSC-S all versions

MELSEC iQ-F Series FX5-80SSC-G all versions

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

Citrix-Bleed-Buffer-Overread-Demo
Created by Scottzxor

References

https://www.mitsubishielectric.com/en/psirt/vulnerability...
vendor-advisory
https://jvn.jp/vu/JVNVU94620134/
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-23-3...
government-resource

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

.