CVE-2023-0525
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to obtain plaintext passwords by sniffing and decrypting encrypted password packets during data transfers. Affected systems include Mitsubishi Electric GOT2000 and GOT SIMPLE series HMI devices, GT Designer3, and GT SoftGOT2000 software when using Data Transfer Security or SoftGOT-GOT link functions.
💻 Affected Systems
- GOT2000 Series GT27
- GOT2000 Series GT25
- GOT2000 Series GT23
- GOT2000 Series GT21
- GOT SIMPLE Series GS25
- GOT SIMPLE Series GS21
- GT Designer3 Version1 (GOT2000)
- GT SoftGOT2000
📦 What is this software?
Gs21 Firmware by Mitsubishielectric
Gs25 Firmware by Mitsubishielectric
Gt Designer3 by Mitsubishielectric
Gt Softgot2000 by Mitsubishielectric
Gt21 Firmware by Mitsubishielectric
Gt23 Firmware by Mitsubishielectric
Gt25 Firmware by Mitsubishielectric
Gt27 Firmware by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain administrative access to industrial control systems, potentially enabling manipulation of physical processes, production disruption, or safety system compromise.
Likely Case
Attackers obtain credentials to access HMI interfaces, allowing monitoring of industrial processes, data theft, or preparation for further attacks.
If Mitigated
With proper network segmentation and monitoring, impact is limited to credential exposure requiring additional steps for system compromise.
🎯 Exploit Status
Attack requires network access to sniff packets but no authentication. Decryption method is not publicly documented but implied to be straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: GOT models: 01.50.000 or later; Software: 1.296A or later
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf
Restart Required: Yes
Instructions:
1. Download updated firmware/software from Mitsubishi Electric website. 2. Backup current configurations. 3. Apply updates following vendor documentation. 4. Restart affected devices. 5. Verify updated versions.
🔧 Temporary Workarounds
Disable Data Transfer Security Function
allTemporarily disable the vulnerable encryption function until patches can be applied.
Configure via GT Designer3: Project → Communication Settings → Security → Disable Data Transfer Security
Network Segmentation
allIsolate affected devices in separate VLANs with strict firewall rules.
# Example firewall rule to restrict traffic
# iptables -A FORWARD -s [GOT_network] -d [designer_network] -j DROP
🧯 If You Can't Patch
- Implement network monitoring for unusual traffic patterns between GOT devices and engineering stations.
- Use VPN tunnels for all remote access to affected systems with strong authentication.
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via GT Designer3 connection or device settings menu. Verify if Data Transfer Security or SoftGOT-GOT link functions are enabled.Check Version:
On GOT device: Settings → Version Information. In GT Designer3: Help → About.Verify Fix Applied:
Confirm firmware/software version is 01.50.000 or later for GOT devices, or 1.296A or later for software.📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts after password exposure
- Unusual access patterns to HMI interfaces
Network Indicators:
- Sniffing traffic on ports used by GT Designer3/GOT communication (typically 5006-5007/TCP)
- Unencrypted or weakly encrypted password packets in network captures
SIEM Query:
source="network_traffic" dest_port=5006 OR dest_port=5007 AND protocol="TCP" AND (payload_contains="password" OR payload_size<100)🔗 References
- https://jvn.jp/vu/JVNVU95285923/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf
- https://jvn.jp/vu/JVNVU95285923/index.html
- https://www.cisa.gov/news-events/ics-advisories/icsa-23-215-02
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-008_en.pdf
