Malicious Code Execution Vulnerability in Mitsubishi Electric FA Engineering Software
CVE-2023-5247

7.8HIGH

Key Information:

Vendor: Mitsubishi Electric Corporation
Status: Gx Works3; Melsoft Iq Appportal; Melsoft Navigator; Motion Control Setting
Vendor: CVE Published:; 30 November 2023

Summary

A vulnerability exists in multiple Mitsubishi Electric FA Engineering Software products that allows for the external control of file names or paths. This can lead to scenarios where a malicious attacker might execute arbitrary code when a legitimate user opens a specifically crafted project file. The implications of this vulnerability are severe, potentially leading to information disclosure, data tampering, deletion of critical information, or even a denial-of-service (DoS) condition.

Affected Version(s)

GX Works3 all versions

MELSOFT iQ AppPortal all versions

MELSOFT Navigator all versions

References

https://www.mitsubishielectric.com/en/psirt/vulnerability...

vendor-advisory

https://jvn.jp/vu/JVNVU93383160/

government-resource

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Nov 30, 2023
Vulnerability Reserved
Sep 28, 2023