CVE-2022-25159

Q: What is the severity of CVE-2022-25159?

CVE-2022-25159 has a CVSS score of 8.1 (HIGH). This CVE describes an authentication bypass vulnerability in multiple Mitsubishi Electric MELSEC industrial control system (ICS) products. Attackers can bypass authentication by replaying captured network traffic, allowing unauthorized access to PLCs and controllers. All listed MELSEC iQ-F, iQ-R, and Q series products are affected regardless of version.

8.1 HIGH

Authentication Bypass

📋 TL;DR

This CVE describes an authentication bypass vulnerability in multiple Mitsubishi Electric MELSEC industrial control system (ICS) products. Attackers can bypass authentication by replaying captured network traffic, allowing unauthorized access to PLCs and controllers. All listed MELSEC iQ-F, iQ-R, and Q series products are affected regardless of version.

💻 Affected Systems

Products:

Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU
Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU
Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU
Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU
Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU
Mitsubishi Electric MELSEC iQ-R series R16/32/64MTCPU
Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4)
Mitsubishi Electric MELSEC iQ-R series RJ71EN71
Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2
Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU
Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU
Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4)
Mitsubishi Electric MELSEC Q series QJ71E71-100

Versions: All versions

Operating Systems: Not applicable - PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All listed products in default configuration are vulnerable. This affects industrial control systems used in manufacturing, energy, and critical infrastructure.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems allowing attackers to modify PLC logic, disrupt operations, cause physical damage, or exfiltrate sensitive industrial data.

🟠

Likely Case

Unauthorized access to PLCs enabling configuration changes, operational disruption, data theft, or establishing persistence in industrial networks.

🟢

If Mitigated

Limited impact if systems are isolated behind firewalls, use network segmentation, and have proper monitoring in place to detect replay attacks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Replay attacks require capturing authentication traffic first, but once captured, exploitation is straightforward. No authentication is required to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Mitsubishi Electric for specific firmware updates

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf

Restart Required: Yes

Instructions:

1. Contact Mitsubishi Electric for firmware updates specific to your affected products
2. Schedule maintenance window for firmware updates
3. Backup PLC programs before updating
4. Apply firmware updates following vendor instructions
5. Verify functionality after update

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLCs in separate network segments with strict firewall rules

VPN/Encrypted Tunnels

all

Require VPN or encrypted tunnels for all remote access to PLCs

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected PLCs from untrusted networks
Deploy network monitoring to detect replay attacks and unauthorized access attempts

🔍 How to Verify

Check if Vulnerable:

Check product model and version against affected list. If using any listed product, assume vulnerable.

Check Version:

Use Mitsubishi Electric programming software (GX Works3, GX Works2) to check PLC firmware version

Verify Fix Applied:

Contact Mitsubishi Electric to verify if specific firmware version for your product addresses CVE-2022-25159

📡 Detection & Monitoring

Log Indicators:

Repeated authentication attempts from same source with identical credentials
Successful logins from unusual IP addresses or network segments
Authentication traffic patterns matching known replay attack signatures

Network Indicators:

Identical authentication packets observed multiple times
Unencrypted authentication traffic to PLC ports
Network traffic to PLCs from unauthorized sources

SIEM Query:

source_ip=* AND dest_ip=PLC_IP AND (port=5006 OR port=5007 OR port=9600) AND packet_size=same_value AND count>threshold

📊 Metadata

CVE ID: CVE-2022-25159

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-294

Published: April 1, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU96577897/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU96577897/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fx5uc 32mr\/ds Ts Firmware by Mitsubishielectric

Fx5uc 32mt\/d Firmware by Mitsubishielectric

Fx5uc 32mt\/ds Ts Firmware by Mitsubishielectric

Fx5uc 32mt\/dss Firmware by Mitsubishielectric

Fx5uc 32mt\/dss Ts Firmware by Mitsubishielectric

Fx5uc Firmware by Mitsubishielectric

Fx5uj 24mr\/es Firmware by Mitsubishielectric

Fx5uj 24mt\/es Firmware by Mitsubishielectric

Fx5uj 24mt\/ess Firmware by Mitsubishielectric

Fx5uj 40mr\/es Firmware by Mitsubishielectric

Fx5uj 40mt\/es Firmware by Mitsubishielectric

Fx5uj 40mt\/ess Firmware by Mitsubishielectric

Fx5uj 60mr\/es Firmware by Mitsubishielectric

Fx5uj 60mt\/es Firmware by Mitsubishielectric

Fx5uj 60mt\/ess Firmware by Mitsubishielectric

Fx5uj Firmware by Mitsubishielectric