CVE-2023-0457
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to extract plaintext passwords from project files in Mitsubishi Electric PLC systems. Attackers can then use these credentials to log into FTP or web servers on affected devices. Industrial control systems using vulnerable MELSEC series PLCs are at risk.
💻 Affected Systems
- Mitsubishi Electric MELSEC iQ-F Series
- Mitsubishi Electric MELSEC iQ-R Series
- Mitsubishi Electric MELSEC-Q Series
- Mitsubishi Electric MELSEC-L Series
📦 What is this software?
Fx5 Enet Firmware by Mitsubishielectric
Fx5 Enet\/ip Firmware by Mitsubishielectric
Fx5s 30mr\/es Firmware by Mitsubishielectric
Fx5s 30mt\/es Firmware by Mitsubishielectric
Fx5s 30mt\/ess Firmware by Mitsubishielectric
Fx5s 40mr\/es Firmware by Mitsubishielectric
Fx5s 40mt\/es Firmware by Mitsubishielectric
Fx5s 40mt\/ess Firmware by Mitsubishielectric
Fx5s 60mr\/es Firmware by Mitsubishielectric
Fx5s 60mt\/es Firmware by Mitsubishielectric
Fx5s 60mt\/ess Firmware by Mitsubishielectric
Fx5s 80mr\/es Firmware by Mitsubishielectric
Fx5s 80mt\/es Firmware by Mitsubishielectric
Fx5s 80mt\/ess Firmware by Mitsubishielectric
Fx5uc 32mr\/ds Ts Firmware by Mitsubishielectric
Fx5uc 32mt\/d Firmware by Mitsubishielectric
Fx5uc 32mt\/ds Ts Firmware by Mitsubishielectric
Fx5uc 32mt\/dss Firmware by Mitsubishielectric
Fx5uc 32mt\/dss Ts Firmware by Mitsubishielectric
Fx5uc 64mt\/d Firmware by Mitsubishielectric
Fx5uc 64mt\/dss Firmware by Mitsubishielectric
Fx5uc 96mt\/d Firmware by Mitsubishielectric
Fx5uc 96mt\/dss Firmware by Mitsubishielectric
Fx5uj 24mr\/es A Firmware by Mitsubishielectric
Fx5uj 24mr\/es Firmware by Mitsubishielectric
Fx5uj 24mt\/es A Firmware by Mitsubishielectric
Fx5uj 24mt\/es Firmware by Mitsubishielectric
Fx5uj 24mt\/ess Firmware by Mitsubishielectric
Fx5uj 40mr\/es A Firmware by Mitsubishielectric
Fx5uj 40mr\/es Firmware by Mitsubishielectric
Fx5uj 40mt\/es A Firmware by Mitsubishielectric
Fx5uj 40mt\/es Firmware by Mitsubishielectric
Fx5uj 40mt\/ess Firmware by Mitsubishielectric
Fx5uj 60mr\/es A Firmware by Mitsubishielectric
Fx5uj 60mr\/es Firmware by Mitsubishielectric
Fx5uj 60mt\/es A Firmware by Mitsubishielectric
Fx5uj 60mt\/es Firmware by Mitsubishielectric
Fx5uj 60mt\/ess Firmware by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Full compromise of industrial control systems leading to operational disruption, data theft, or physical damage through unauthorized access to critical infrastructure.
Likely Case
Unauthorized access to FTP/web servers, potential data exfiltration, and lateral movement within industrial networks.
If Mitigated
Limited impact with proper network segmentation and access controls preventing external access to vulnerable systems.
🎯 Exploit Status
Exploitation requires access to project files, which may be accessible via network shares or improper file permissions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to vendor advisory for specific firmware versions
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf
Restart Required: Yes
Instructions:
1. Download updated firmware from Mitsubishi Electric support portal. 2. Backup project files. 3. Install firmware update following vendor documentation. 4. Restart PLC. 5. Verify functionality.
🔧 Temporary Workarounds
Restrict network access
allBlock external access to PLC FTP and web servers using firewalls
Secure project files
allApply strict file permissions to prevent unauthorized access to project files
🧯 If You Can't Patch
- Isolate affected PLCs in dedicated network segments with strict access controls
- Disable FTP and web server functionality if not required for operations
🔍 How to Verify
Check if Vulnerable:
Check if project files contain plaintext passwords using hex editor or strings command on project filesCheck Version:
Use PLC programming software (GX Works3) to read PLC firmware versionVerify Fix Applied:
Verify firmware version matches patched version from vendor advisory and test that project files no longer contain plaintext credentials📡 Detection & Monitoring
Log Indicators:
- Unauthorized FTP login attempts
- Multiple failed web server authentication attempts followed by success
- Access to project files from unusual IP addresses
Network Indicators:
- FTP traffic to PLCs from external networks
- Unusual file transfers involving project files
SIEM Query:
source="plc_logs" AND (event_type="ftp_auth" OR event_type="web_auth") AND result="success" AND src_ip NOT IN allowed_ips🔗 References
- https://jvn.jp/vu/JVNVU93891523/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-061-01
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf
- https://jvn.jp/vu/JVNVU93891523/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-061-01
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-023_en.pdf
