CVSS: 9.1EPSS: 0%CPEs: 432EXPL: 0CVE-2023-4699 – Denial-of-Service (DoS) Vulnerability in MELSEC Series
https://notcve.org/view.php?id=CVE-2023-4699
Insufficient Verification of Data Authenticity vulnerability in Mitsubishi Electric Corporation MELSEC-F Series main modules and MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to reset the memory of the products to factory default state and cause denial-of-service (DoS) condition on the products by sending specific packets. Vulnerabilidad de verificación insuficiente de autenticidad de datos en los módulos principales Mitsubishi Electric Corporation MELSEC-F Series y en los módulos de MELSEC iQ-F Series CPU permite a un atacante remoto no autenticado restablecer la memoria de los productos al estado predeterminado de fábrica y provocar Denegación de Servicio (DoS) condición de los productos mediante el envío de paquetes específicos. • https://jvn.jp/vu/JVNVU94620134 https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-03 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-013_en.pdf • CWE-345: Insufficient Verification of Data Authenticity •
CVSS: 5.3EPSS: 0%CPEs: 126EXPL: 0CVE-2023-4625 – Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC Series CPU module
https://notcve.org/view.php?id=CVE-2023-4625
Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login. Vulnerabilidad de restricción inadecuada de intentos de autenticación excesivos en los módulos de Mitsubishi Electric Corporation MELSEC iQ-F Series CPU, la función de servidor web permite a un atacante remoto no autenticado evitar que usuarios legítimos inicien sesión en la función de servidor web durante un cierto período después de que el atacante haya intentado iniciar sesión ilegalmente al intentar continuamente iniciar sesión sin autorización en la función del servidor web. El impacto de esta vulnerabilidad persistirá mientras el atacante continúe intentando iniciar sesión sin autorización. • https://jvn.jp/vu/JVNVU94620134 https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf • CWE-307: Improper Restriction of Excessive Authentication Attempts •
CVSS: 7.5EPSS: 0%CPEs: 76EXPL: 0CVE-2023-0457 – Information Disclosure Vulnerability in MELSEC Series
https://notcve.org/view.php?id=CVE-2023-0457
Plaintext Storage of a Password vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series, MELSEC iQ-R Series, MELSEC-Q Series and MELSEC-L Series allows a remote unauthenticated attacker to disclose plaintext credentials stored in project files and login into FTP server or Web server. • https://jvn.jp/vu/JVNVU93891523/index.html https://www.cisa.gov/news-events/ics-advisories/icsa-23-061-01 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 9.1EPSS: 0%CPEs: 106EXPL: 0CVE-2022-40267 – Authentication Bypass Vulnerability in Web Server Function on MELSEC Series
https://notcve.org/view.php?id=CVE-2022-40267
Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/z (x=24,40,60, y=T,R, z=ES,ESS) versions 1.042 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/ES-A (x=24,40,60, y=T,R) versions 1.043 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-xMy/z (x=30,40,60,80, y=T,R, z=ES,ESS) versions 1.003 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU versions 33 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU versions 66 and prior allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers. • https://jvn.jp/vu/JVNVU99673580/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-02 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-019_en.pdf • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG) •
CVSS: 5.9EPSS: 0%CPEs: 32EXPL: 0CVE-2022-25160
https://notcve.org/view.php?id=CVE-2022-25160
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions and Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions allows a remote unauthenticated attacker to disclose a file in a legitimate user's product by using previously eavesdropped cleartext information and to counterfeit a legitimate user’s system. Vulnerabilidad de almacenamiento de texto claro de información sensible en la CPU de la serie MELSEC iQ-F de Mitsubishi Electric FX5U(C) todas las versiones, la CPU de la serie MELSEC iQ-F de Mitsubishi Electric FX5UJ todas las versiones, la CPU de la serie MELSEC iQ-R de Mitsubishi Electric R00/01/02CPU todas las versiones, la CPU de la serie MELSEC iQ-R de Mitsubishi Electric R04/08/16/32/120(ES)todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120SFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R08/16/32/120PSFCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie R16/32/64MTCPU todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71C24(-R2/R4) todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ71EN71 todas las versiones, Mitsubishi Electric MELSEC iQ-R serie RJ72GF15-T2 todas las versiones, Mitsubishi Electric MELSEC Q serie Q03/04/06/13/26UDVCPU todas las versiones, Mitsubishi Electric MELSEC Q serie Q04/06/13/26UDPVCPU todas las versiones, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) todas las versiones y Mitsubishi Electric MELSEC Q series QJ71E71-100 todas las versiones permite a un atacante remoto no autenticado revelar un archivo en el producto de un usuario legítimo utilizando información en texto claro previamente escuchada y falsificar el sistema de un usuario legítimo • https://jvn.jp/vu/JVNVU96577897/index.html https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf • CWE-312: Cleartext Storage of Sensitive Information •