HOMEVULNERABILITIESVENDORSMitsubishielectric

MitsubishielectricCVEs & Vulnerabilities

158 CVEs affecting Mitsubishielectric products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

gx works3 33gx works2 26gt softgot2000 21ezsocket 20fr configurator2 19cw configurator 19mx component 19rt toolbox3 19
CVE-2019-14928MEDIUM

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page.

28 Oct 2019
5.4
CVSS
CVE-2019-14927HIGHpoc

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data).

28 Oct 2019
7.5
CVSS
CVE-2019-14926CRITICAL

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites.

28 Oct 2019
9.8
CVSS
CVE-2019-14925MEDIUM

An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment.

28 Oct 2019
6.5
CVSS
CVE-2019-10976MEDIUM

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.

26 Jul 2019
5.5
CVSS
CVE-2019-10972MEDIUM

Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability can be triggered when an attacker provides the target with a rogue project file (.frc2). Once a user opens the rogue project, CPU exhaustion occurs, which causes the software to quit responding until the application is restarted.

26 Jul 2019
5.5
CVSS
CVE-2019-10977HIGH

In Mitsubishi Electric MELSEC-Q series Ethernet module QJ71E71-100 serial number 20121 and prior, an attacker could send crafted TCP packets against the FTP service, forcing the target devices to enter an error mode and cause a denial-of-service condition.

23 May 2019
7.5
CVSS
CVE-2019-6535HIGH

Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash and disruption to USB communication.

5 Feb 2019
7.5
CVSS
CVE-2017-9638CRITICAL

Mitsubishi E-Designer, Version 7.52 Build 344 contains six code sections which may be exploited to overwrite the stack. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

17 Apr 2018
9.8
CVSS
CVE-2017-9636CRITICAL

Mitsubishi E-Designer, Version 7.52 Build 344 contains five code sections which may be exploited to overwrite the heap. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

17 Apr 2018
9.8
CVSS
CVE-2017-9634CRITICAL

Mitsubishi E-Designer, Version 7.52 Build 344 contains two code sections which may be exploited to allow an attacker to overwrite arbitrary memory locations. This can result in arbitrary code execution, compromised data integrity, denial of service, and system crash.

17 Apr 2018
9.8
CVSS
CVE-2016-8370HIGH

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. Weakly encrypted passwords are transmitted to a MELSEC-Q PLC.

13 Feb 2017
7.5
CVSS
CVE-2016-8368HIGH

An issue was discovered in Mitsubishi Electric Automation MELSEC-Q series Ethernet interface modules QJ71E71-100, all versions, QJ71E71-B5, all versions, and QJ71E71-B2, all versions. The affected Ethernet interface module is connected to a MELSEC-Q PLC, which may allow a remote attacker to connect to the PLC via Port 5002/TCP and cause a denial of service, requiring the PLC to be reset to resume operation. This is caused by an Unrestricted Externally Accessible Lock.

13 Feb 2017
8.6
CVSS
CVE-2013-2817CRITICALpoc

An ActiveX control in IcoLaunch.dll in Mitsubishi Electric Automation MC-WorX Suite 8.02 allows user-assisted remote attackers to execute arbitrary programs via a crafted HTML document in conjunction with a Login Client button click.

24 Feb 2014
9.3
CVSS
← PrevPage 4 / 4Next →
Mitsubishielectric CVEs & Vulnerabilities — 158 Tracked — Page 4