CVSS: 9.4EPSS: 0%CPEs: 300EXPL: 0CVE-2023-2846 – Authentication Bypass Vulnerability in MELSEC-F Series main module
https://notcve.org/view.php?id=CVE-2023-2846
30 Jun 2023 — Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series main modules allows a remote unauthenticated attacker to cancel the password/keyword setting and login to the affected products by sending specially crafted packets. • https://jvn.jp/vu/JVNVU94519952 • CWE-294: Authentication Bypass by Capture-replay •
CVSS: 7.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-2063 – Information disclosure, tampering, deletion and destruction vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules
https://notcve.org/view.php?id=CVE-2023-2063
02 Jun 2023 — Unrestricted Upload of File with Dangerous Type vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to cause information disclosure, tampering, deletion or destruction via file upload/download. As a result, the attacker may be able to exploit this for further attacks. • https://jvn.jp/vu/JVNVU92908006 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.2EPSS: 0%CPEs: 8EXPL: 0CVE-2023-2062 – Information Disclosure vulnerability in EtherNet/IP Configuration tools
https://notcve.org/view.php?id=CVE-2023-2062
02 Jun 2023 — Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module... • https://jvn.jp/vu/JVNVU92908006 • CWE-549: Missing Password Field Masking CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-2061 – Authentication bypass vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules
https://notcve.org/view.php?id=CVE-2023-2061
02 Jun 2023 — Use of Hard-coded Password vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to obtain a hard-coded password and access to the module via FTP. • https://jvn.jp/vu/JVNVU92908006 • CWE-259: Use of Hard-coded Password CWE-798: Use of Hard-coded Credentials •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2023-2060 – Authentication bypass vulnerability in MELSEC iQ-R Series / iQ-F Series EtherNet/IP Modules
https://notcve.org/view.php?id=CVE-2023-2060
02 Jun 2023 — Weak Password Requirements vulnerability in FTP function on Mitsubishi Electric Corporation MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP allows a remote unauthenticated attacker to access to the module via FTP by dictionary attack or password sniffing. • https://jvn.jp/vu/JVNVU92908006 • CWE-521: Weak Password Requirements •
CVSS: 10.0EPSS: 2%CPEs: 78EXPL: 0CVE-2023-1424 – Denial-of-Service and Remote Code Execution Vulnerability in MELSEC Series CPU module
https://notcve.org/view.php?id=CVE-2023-1424
24 May 2023 — Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or execute malicious code on a target product by sending specially crafted packets. A system reset of the product is required for recovery from a denial of service (DoS) condition and malicious code execution. • https://jvn.jp/vu/JVNVU94650413 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') •
CVSS: 9.0EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1618 – Authentication Bypass Vulnerability in MELSEC WS Series Ethernet Interface Module
https://notcve.org/view.php?id=CVE-2023-1618
19 May 2023 — Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 Serial number 2310 **** and prior allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module'... • https://jvn.jp/vu/JVNVU96063959 • CWE-489: Active Debug Code CWE-1188: Initialization of a Resource with an Insecure Default •
CVSS: 7.5EPSS: 0%CPEs: 2EXPL: 0CVE-2023-1285
https://notcve.org/view.php?id=CVE-2023-1285
14 Apr 2023 — Signal Handler Race Condition vulnerability in Mitsubishi Electric India GC-ENET-COM whose first 2 digits of 11-digit serial number of unit are "16" allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition in Ethernet communication by sending a large number of specially crafted packets to any UDP port when GC-ENET-COM is configured as a Modbus TCP Server. The communication resumes only when the power of the main unit is turned off and on or when the GC-ENET-COM is hot-swapped fr... • https://mitsubishielectric.in/fa/cnc-pdf/DoS_in_Ethernet_Communication_Extension_Unit_GC_ENET_COM_of_GOC35_Series.pdf • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-364: Signal Handler Race Condition •
CVSS: 7.8EPSS: 1%CPEs: 76EXPL: 0CVE-2023-0457 – Information Disclosure Vulnerability in MELSEC Series
https://notcve.org/view.php?id=CVE-2023-0457
03 Mar 2023 — Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series, MELSEC iQ-R Series, MELSEC-Q Series and MELSEC-L Series allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server. • https://jvn.jp/vu/JVNVU93891523/index.html • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 9.4EPSS: 0%CPEs: 5EXPL: 0CVE-2022-40269
https://notcve.org/view.php?id=CVE-2022-40269
02 Feb 2023 — Authentication Bypass by Spoofing vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.14.000 to 01.47.000, Mitsubishi Electric Corporation GOT2000 Series GT25 model versions 01.14.000 to 01.47.000 and Mitsubishi Electric Corporation GT SoftGOT2000 versions 1.265B to 1.285X allows a remote unauthenticated attacker to disclose sensitive information from users' browsers or spoof legitimate users by abusing inappropriate HTML attributes. • https://jvn.jp/vu/JVNVU91222434/index.html • CWE-290: Authentication Bypass by Spoofing •