Exploitation of these vulnerabilities could disrupt industrial processes.
The US Cybersecurity and Infrastructure Protection Agency (CISA) this week issued an advisory warning of multiple vulnerabilities in Mitsubishi Electric GX Works3 engineering software.
"The successful exploitation of these vulnerabilities allows unauthorized attackers to view and execute programs, gain access to the MELSEC iQ-R/F/L series processor modules and the MELSEC iQ-R OPC UA series server module," the agency said.
GX Works3 is Mitsubishi Electric's latest generation of programming and maintenance software specifically designed for MELSEC iQ-R series control systems. It includes many new features such as graphical system configuration, built-in positioning tools, multilingual support, which creates an intuitive development environment.
Experts divided 10 discovered vulnerabilities into several groups:
Three vulnerabilities are related to the storage of sensitive data in the clear;
Four of the vulnerabilities are related to the use of a hard-coded cryptographic key;
Two - using a hard-coded password;
One concerns inadequate credential protection.
The most dangerous security flaws are CVE-2022-25164 and CVE-2022-29830, rated 9.1 out of 10 on the CVSS scale. Attackers can use them to gain access to the processor module and collect information about project files without obtaining any permissions.
Another vulnerability discovered by Nozomi Networks has received the identifier CVE-2022-29831 and a score of 7.5 out of 10 on the CVSS scale: 7.5. This security hole can be exploited by a hacker who already has access to the safety PLC project file. Using a hard-coded password, a cybercriminal can gain direct access to the safety PLC CPU and disrupt industrial processes.
Vulnerabilities CVE-2022-25164 , CVE-2022-29825 , CVE-2022-29826 , CVE-2022-29827 , CVE-2022-29828 , CVE-2022-29829 and CVE-2022-29830 were discovered by Positive researchers.