1. EXECUTIVE SUMMARY
- CVSS v3 9.3
- ATTENTION: Low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: FA Engineering Software Products
- Vulnerability: Incorrect Default Permissions
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow a local attacker to execute code, which could result in information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric FA Engineering Software Products are affected:
- GX Works3: All versions
3.2 Vulnerability Overview
3.2.1 INCORRECT DEFAULT PERMISSIONS CWE-276
In all versions of Mitsubishi Electric GX Works3, code execution is possible due to permission issues. This could allow an attacker to cause information disclosure, tampering with and deletion of information, or a denial-of-service (DoS) condition.
CVE-2023-4088 has been assigned to this vulnerability. A CVSS v3 base score of 9.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Japan
3.4 RESEARCHER
01dGu0 of ZHEJIANG QIAN INFORMATION & TECHNOLOGY CO., LTD reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS
Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
- Install the version described in the Mitsubishi Electric
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.This article has been indexed from All CISA AdvisoriesRead the original article: