CVE-2022-25157

Q: What is the severity of CVE-2022-25157?

CVE-2022-25157 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Mitsubishi Electric MELSEC PLCs allows remote unauthenticated attackers to use intercepted password hashes for authentication instead of requiring the actual password. This affects numerous iQ-F, iQ-R, Q series, and L series PLC models across all versions. Attackers can potentially access, disclose, or tamper with industrial control system information.

9.1 CRITICAL

Authentication Bypass

📋 TL;DR

This vulnerability in Mitsubishi Electric MELSEC PLCs allows remote unauthenticated attackers to use intercepted password hashes for authentication instead of requiring the actual password. This affects numerous iQ-F, iQ-R, Q series, and L series PLC models across all versions. Attackers can potentially access, disclose, or tamper with industrial control system information.

💻 Affected Systems

Products:

Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU
Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU
Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU
Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU
Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU
Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4)
Mitsubishi Electric MELSEC iQ-R series RJ71EN71
Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2
Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX
Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2
Mitsubishi Electric MELSEC Q series Q03UDECPU
Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU
Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU
Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU
Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4)
Mitsubishi Electric MELSEC Q series QJ71E71-100
Mitsubishi Electric MELSEC L series L02/06/26CPU(-P)
Mitsubishi Electric MELSEC L series L26CPU-(P)BT
Mitsubishi Electric MELSEC L series LJ71C24(-R2)
Mitsubishi Electric MELSEC L series LJ71E71-100
Mitsubishi Electric MELSEC L series LJ72GF15-T2

Versions: All versions

Operating Systems: PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All listed products in their default configurations are vulnerable. No specific version ranges - all versions are affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems leading to production disruption, safety hazards, data theft, or physical damage to equipment.

🟠

Likely Case

Unauthorized access to PLC programming and configuration, allowing attackers to modify logic, steal proprietary information, or disrupt operations.

🟢

If Mitigated

Limited impact if systems are air-gapped, have strict network segmentation, and use additional authentication layers.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires network access to intercept password hashes, but once obtained, authentication bypass is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf

Restart Required: No

Instructions:

No firmware patch available. Apply workarounds and mitigations as described in vendor advisory.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLCs from untrusted networks using firewalls and VLANs

Encrypted Communications

all

Use VPNs or encrypted protocols for all PLC communications

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from general corporate networks
Monitor network traffic for unauthorized authentication attempts and hash interception

🔍 How to Verify

Check if Vulnerable:

Check if you have any of the affected Mitsubishi MELSEC PLC models listed in the advisory

Check Version:

Check PLC model and firmware version via engineering software (MELSOFT)

Verify Fix Applied:

Verify network segmentation and encryption controls are properly implemented

📡 Detection & Monitoring

Log Indicators:

Failed authentication attempts followed by successful access
Unusual network connections to PLC ports

Network Indicators:

Unencrypted authentication traffic to PLCs
Traffic patterns indicating hash interception

SIEM Query:

source_ip=PLC_IP AND (port=5006 OR port=5007) AND (event_type=auth OR protocol=melsec)

📊 Metadata

CVE ID: CVE-2022-25157

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-287

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU96577897/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU96577897/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fx5uc 32mr\/ds Ts Firmware by Mitsubishielectric

Fx5uc 32mt\/d Firmware by Mitsubishielectric

Fx5uc 32mt\/ds Ts Firmware by Mitsubishielectric

Fx5uc 32mt\/dss Firmware by Mitsubishielectric

Fx5uc 32mt\/dss Ts Firmware by Mitsubishielectric

Fx5uc Firmware by Mitsubishielectric

Fx5uj 24mr\/es Firmware by Mitsubishielectric

Fx5uj 24mt\/es Firmware by Mitsubishielectric

Fx5uj 24mt\/ess Firmware by Mitsubishielectric

Fx5uj 40mr\/es Firmware by Mitsubishielectric

Fx5uj 40mt\/es Firmware by Mitsubishielectric

Fx5uj 40mt\/ess Firmware by Mitsubishielectric

Fx5uj 60mr\/es Firmware by Mitsubishielectric

Fx5uj 60mt\/es Firmware by Mitsubishielectric

Fx5uj 60mt\/ess Firmware by Mitsubishielectric

Fx5uj Firmware by Mitsubishielectric