Mitsubishi Electric has disclosed a critical vulnerability in its FA Engineering Software Products, identified as CVE-2023-4088, which has been assigned a CVSS v3 score of 9.3. This serious flaw arises from incorrect default permissions within the software, enabling local attackers to execute arbitrary OS commands. The potential consequences of this vulnerability are severe, including unauthorized information disclosure, data tampering or deletion, and the possibility of a denial-of-service (DoS) condition. This situation underscores the urgent need for organizations using these products to address the issue promptly.
The affected software products are extensive and include various tools used across Mitsubishi Electric’s FA Engineering suite. Specifically, all versions of AL-PCS/WIN-E, CPU Module Logging Configuration Tool, EZSocket, FR Configurator2, and multiple MELSOFT applications are vulnerable. The widespread impact of this issue indicates that a significant number of users could be at risk, making it crucial for those utilizing these software products to be aware of the potential threats and take necessary precautions.
Mitsubishi Electric has provided guidance on mitigating the risk associated with this vulnerability. Users are advised to upgrade to specified later versions of the affected software, which are designed to address the security issues identified. Additionally, it is recommended that these products be installed in their default locations to reduce the risk of exploitation. Other protective measures include the use of anti-virus software, implementation of firewalls, and restriction of remote access to the systems. By following these recommendations, organizations can better safeguard their systems against potential attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) has also emphasized the importance of adopting comprehensive defensive measures. CISA advises organizations to perform detailed risk assessments and impact analyses before implementing any defensive strategies. Although no known public exploits of this vulnerability have been reported, maintaining robust cybersecurity practices and adhering to recommended security protocols are essential for protecting industrial control systems and preventing future security incidents.
Reference: