CISA has recently released a critical Industrial Control Systems (ICS) advisory, focusing on a vulnerability (CVE-2023-6815) in Mitsubishi Electric’s MELSEC iQ-R Series Safety CPU. The advisory, published on February 13, 2024, emphasizes the importance of timely information on security issues surrounding ICS. The vulnerability, rated at a CVSS v3 score of 6.5, could be exploited remotely, allowing a non-administrator user to disclose credentials of a user with lower access.
Technical details outline affected products, including the MELSEC iQ-R Series Safety CPU and SIL2 Process CPU modules, with potential risks associated with incorrect privilege assignment. The background information highlights the critical infrastructure sector affected (Critical Manufacturing) and the global deployment of the impacted products. The researcher, Reid Wightman of Dragos Inc., reported the vulnerability to Mitsubishi Electric.
Mitigations include upgrading to MELSEC iQ-R Series Safety CPU versions 27 or later when used with GX Works3 versions 1.087R or later. Additionally, CISA recommends defensive measures like firewalls, VPNs, and IP filters, along with restrictions on physical access. The advisory concludes with an update history, indicating the initial publication on February 13, 2024.
Reference:
