CVE-2021-20590
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to bypass authentication in Mitsubishi Electric GOT2000 and GOT SIMPLE series HMI VNC servers. Attackers can gain unauthorized access by sending specially crafted packets when the VNC server function is enabled. Affected systems include specific models of GOT2000 and GOT SIMPLE series industrial HMIs.
💻 Affected Systems
- GOT2000 series GT27 model
- GOT2000 series GT25 model
- GOT2000 series GT21 model GT2107-WTBD
- GOT2000 series GT21 model GT2107-WTSD
- GOT SIMPLE series GS21 model GS2110-WTBD-N
- GOT SIMPLE series GS21 model GS2107-WTBD-N
📦 What is this software?
Got2000 Gt25 Firmware by Mitsubishielectric
Got2000 Gt27 Firmware by Mitsubishielectric
Gs2107 Wtbd N Firmware by Mitsubishielectric
Gs2110 Wtbd N Firmware by Mitsubishielectric
Gt2107 Wtbd Firmware by Mitsubishielectric
Gt2107 Wtsd Firmware by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems, allowing attackers to manipulate HMI interfaces, disrupt operations, or pivot to other industrial network segments.
Likely Case
Unauthorized access to HMI interfaces enabling monitoring of industrial processes, data theft, or limited manipulation of displayed information.
If Mitigated
Limited impact if VNC server function is disabled or network segmentation prevents access to vulnerable systems.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to the VNC server port (typically 5900).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GT27/GT25: 01.39.011 or later; GT21/GS21: 01.40.001 or later
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-001_en.pdf
Restart Required: Yes
Instructions:
1. Download firmware update from Mitsubishi Electric support portal. 2. Backup current configuration. 3. Apply firmware update via USB or network. 4. Restart the HMI. 5. Verify firmware version is updated.
🔧 Temporary Workarounds
Disable VNC Server
allTurn off the VNC server function if not required for operations.
Navigate to HMI settings > Communication Settings > VNC Server > Disable
Network Segmentation
allIsolate affected HMIs in separate VLANs with strict firewall rules.
Configure firewall to block port 5900 from untrusted networks
🧯 If You Can't Patch
- Disable VNC server function immediately if not essential
- Implement strict network segmentation and firewall rules to block all access to port 5900 from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check HMI firmware version via System Information menu and verify if VNC server is enabled in Communication Settings.Check Version:
Navigate to System Information > Firmware Version on HMI interfaceVerify Fix Applied:
Confirm firmware version is 01.39.011 or later for GT27/GT25, or 01.40.001 or later for GT21/GS21 models.📡 Detection & Monitoring
Log Indicators:
- Multiple failed VNC authentication attempts
- Unusual VNC connections from unexpected IP addresses
Network Indicators:
- Unusual traffic patterns on port 5900
- VNC protocol anomalies
SIEM Query:
source_port:5900 AND (event_type:authentication_failure OR protocol_anomaly:true)