A critical vulnerability has been identified in Mitsubishi Electric’s MELIPC Series MI5122-VW, with a CVSS v3.1 base score of 8.8. The flaw, assigned CVE-2024-3904, involves incorrect default permissions in firmware versions “05” through “07.” This vulnerability allows local attackers to execute arbitrary code by placing a malicious file in a specific folder, potentially leading to significant security breaches.
The impact of this vulnerability is severe, as it could enable attackers to tamper with, destroy, or disclose sensitive information within the device. Additionally, it could result in a denial-of-service (DoS) condition, disrupting the normal operation of the product. This flaw poses a risk to critical manufacturing infrastructure globally, given the MI5122-VW’s widespread deployment.
Mitsubishi Electric has addressed this issue by releasing firmware version “08,” which mitigates the vulnerability. For those unable to update to this fixed version, Mitsubishi Electric has provided alternative workarounds and mitigations detailed in their advisory. Users are advised to consult the user manual for instructions on checking firmware versions and to follow the recommended security practices to protect their systems.
CISA has recommended additional defensive measures, including minimizing network exposure, using firewalls, and securing remote access through VPNs. Organizations should perform impact analysis and risk assessments before deploying any defensive measures and report any suspicious activities to CISA for further analysis. No known public exploitation of this vulnerability has been reported, but the potential for significant impact underscores the importance of timely action.
