Mitsubishi Electric has disclosed a critical vulnerability affecting a range of their Electrical Discharge Machines. The flaw, identified as CVE-2023-21554, is attributed to improper input validation in the Microsoft Message Queuing service on Microsoft Windows. With a high CVSS v3.1 base score of 9.8, this vulnerability can be exploited remotely with low attack complexity, potentially leading to unauthorized disclosure, tampering, or destruction of information within the affected products. The impacted machines span various series and configurations, necessitating urgent attention.
Mitsubishi Electric recommends immediate action to mitigate the risk, urging users to install the latest updates and providing specific instructions in advisory 2023-022. The suggested measures include using firewalls and virtual private networks to prevent unauthorized access, restricting physical access to the affected products, and deploying anti-virus software on personal computers communicating with these machines. The critical infrastructure sectors, especially in the domain of critical manufacturing, are advised to exercise caution.
CISA (Cybersecurity & Infrastructure Security Agency) collaborates with Mitsubishi Electric, endorsing the importance of these mitigations. Furthermore, CISA emphasizes the implementation of defensive measures and proactive cybersecurity strategies to safeguard industrial control systems. No known public exploitation targeting this vulnerability has been reported to CISA as of now.
