Vulnerabilities (CVE)

Filtered by vendor Mitsubishielectric Subscribe
Total 158 CVE
CVE Vendors Products Updated CVSS v2 CVSS v3
CVE-2024-7587 2 Iconics, Mitsubishielectric 2 Genesis64, Mc Works64 2024-11-05 N/A 7.8 HIGH
Incorrect Default Permissions vulnerability in GenBroker32, which is included in the installers for ICONICS GENESIS64 version 10.97.3 and prior, Mitsubishi Electric GENESIS64 version 10.97.3 and prior and Mitsubishi Electric MC Works64 all versions allows a local authenticated attacker to disclose or tamper with confidential information and data contained in the products, or cause a denial of service (DoS) condition on the products, by accessing a folder with incorrect permissions, when GenBroker32 is installed on the same PC as GENESIS64 or MC Works64.
CVE-2023-6943 1 Mitsubishielectric 10 Ezsocket, Fr Configurator2, Got1000 and 7 more 2024-11-01 N/A 9.8 CRITICAL
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to execute a malicious code by RPC with a path to a malicious library while connected to the products.
CVE-2023-6942 1 Mitsubishielectric 10 Ezsocket, Fr Configurator2, Got1000 and 7 more 2024-11-01 N/A 7.5 HIGH
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 and later, GT Designer3 Version1(GOT1000) all versions, GT Designer3 Version1(GOT2000) all versions, GX Works2 versions 1.11M and later, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E and later, MT Works2 all versions, MX Component versions 4.00A and later and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.
CVE-2023-2062 1 Mitsubishielectric 8 Fx5-enet\/ip, Fx5-enet\/ip Firmware, Rj71eip91 and 5 more 2024-10-31 N/A 6.2 MEDIUM
Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.
CVE-2024-22105 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-10-30 N/A 5.5 MEDIUM
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.5.1 allows local attackers to cause a Windows blue screen error.
CVE-2024-25087 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-10-30 N/A 5.5 MEDIUM
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.7.0 allows local attackers to cause a Windows blue screen error.
CVE-2023-51777 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-10-28 N/A 5.5 MEDIUM
Denial of Service (DoS) vulnerability in Jungo WinDriver before 12.1.0 allows local attackers to cause a Windows blue screen error.
CVE-2023-6815 1 Mitsubishielectric 16 R08psfcpu, R08psfcpu Firmware, R08sfcpu and 13 more 2024-10-22 N/A 6.5 MEDIUM
Incorrect Privilege Assignment vulnerability in Mitsubishi Electric Corporation MELSEC iQ-R Series Safety CPU R08/16/32/120SFCPU all versions and MELSEC iQ-R Series SIL2 Process CPU R08/16/32/120PSFCPU all versions allows a remote authenticated attacker who has logged into the product as a non-administrator user to disclose the credentials (user ID and password) of a user with a lower access level than the attacker by sending a specially crafted packet.
CVE-2020-14521 1 Mitsubishielectric 60 C Controller Interface Module Utility, C Controller Module Setting And Monitoring Tool, Cc-link Ie Control Network Data Collector and 57 more 2024-09-17 7.5 HIGH 9.8 CRITICAL
Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.
CVE-2019-14929 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 5.0 MEDIUM 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Stored cleartext passwords could allow an unauthenticated attacker to obtain configured username and password combinations on the RTU due to the weak credentials management on the RTU. An unauthenticated user can obtain the exposed password credentials to gain access to the following services: DDNS service, Mobile Network Provider, and OpenVPN service.
CVE-2019-14928 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 3.5 LOW 5.4 MEDIUM
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A number of stored cross-site script (XSS) vulnerabilities allow an attacker to inject malicious code directly into the application. An example input variable vulnerable to stored XSS is SerialInitialModemString in the index.php page.
CVE-2019-14931 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote OS Command Injection vulnerability allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user supplied data to the RTU's system shell. Functionality in mobile.php provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.
CVE-2019-14930 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 10.0 HIGH 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Undocumented hard-coded user passwords for root, ineaadmin, mitsadmin, and maint could allow an attacker to gain unauthorised access to the RTU. (Also, the accounts ineaadmin and mitsadmin are able to escalate privileges to root without supplying a password due to insecure entries in /etc/sudoers on the RTU.)
CVE-2019-14927 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 5.0 MEDIUM 7.5 HIGH
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. An unauthenticated remote configuration download vulnerability allows an attacker to download the smartRTU's configuration file (which contains data such as usernames, passwords, and other sensitive RTU data).
CVE-2019-14926 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 7.5 HIGH 9.8 CRITICAL
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. Hard-coded SSH keys allow an attacker to gain unauthorised access or disclose encrypted data on the RTU due to the keys not being regenerated on initial installation or with firmware updates. In other words, these devices use private-key values in /etc/ssh/ssh_host_rsa_key, /etc/ssh/ssh_host_ecdsa_key, and /etc/ssh/ssh_host_dsa_key files that are publicly available from the vendor web sites.
CVE-2019-14925 2 Inea, Mitsubishielectric 4 Me-rtu, Me-rtu Firmware, Smartrtu and 1 more 2024-09-10 4.0 MEDIUM 6.5 MEDIUM
An issue was discovered on Mitsubishi Electric Europe B.V. ME-RTU devices through 2.02 and INEA ME-RTU devices through 3.0. A world-readable /usr/smartrtu/init/settings.xml configuration file on the file system allows an attacker to read sensitive configuration settings such as usernames, passwords, and other sensitive RTU data due to insecure permission assignment.
CVE-2018-16061 1 Mitsubishielectric 2 Smartrtu, Smartrtu Firmware 2024-09-10 4.3 MEDIUM 6.1 MEDIUM
Mitsubishi Electric Europe B.V. SmartRTU devices allow XSS via the username parameter or PATH_INFO to login.php.
CVE-2018-16060 1 Mitsubishielectric 2 Smartrtu, Smartrtu Firmware 2024-09-10 5.0 MEDIUM 7.5 HIGH
Mitsubishi Electric Europe B.V. SmartRTU devices allow remote attackers to obtain sensitive information (directory listing and source code) via a direct request to the /web URI.
CVE-2024-25088 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-08-01 N/A 7.8 HIGH
Improper privilege management in Jungo WinDriver before 12.5.1 allows local attackers to escalate privileges and execute arbitrary code.
CVE-2024-25086 2 Jungo, Mitsubishielectric 43 Windriver, Cpu Module Logging Configuration Tool, Cw Configurator and 40 more 2024-07-08 N/A 7.8 HIGH
Improper privilege management in Jungo WinDriver before 12.2.0 allows local attackers to escalate privileges and execute arbitrary code.