CVE-2019-14931

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier INEA ME-RTU devices versions 3.0 and earlier

Description An unauthenticated remote OS Command Injection issue allows an attacker to execute arbitrary commands on the RTU due to the passing of unsafe user-supplied data to the RTU's system shell. The issue is related to the functionality in mobile.php that provides users with the ability to ping sites or IP addresses via Mobile Connection Test. When the Mobile Connection Test is submitted, action.php is called to execute the test. An attacker can use a shell command separator (;) in the host variable to execute operating system commands upon submitting the test data.

Recommendations For Mitsubishi Electric Europe B.V. ME-RTU devices versions 2.02 and earlier, consider disabling the Mobile Connection Test functionality in mobile.php until a patch is available. For INEA ME-RTU devices versions 3.0 and earlier, restrict access to the action.php file to minimize the risk of exploitation. As a temporary workaround, avoid using the host variable in the Mobile Connection Test until the issue is resolved.