PT-2021-6790 · Mitsubishi · Melsec Q Series Qj72Br15+22

Anton Dorfman

+3

·

Published

2021-12-15

·

Updated

2023-08-08

·

CVE-2022-25155

CVSS v2.0

6.8

Medium

VectorAV:N/AC:M/Au:N/C:P/I:P/A:P
Name of the Vulnerable Software and Affected Versions Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2 all versions Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP all versions Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions Mitsubishi Electric MELSEC Q series Q03UDECPU all versions Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions Mitsubishi Electric MELSEC Q series QJ72BR15 all versions Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE) all versions Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions Mitsubishi Electric MELSEC L series LJ71E71-100 all versions Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions
Description The issue is related to the use of a password hash instead of the password for authentication, allowing a remote unauthenticated attacker to login to the product by replaying an eavesdropped password hash. This may enable an attacker to gain unauthorized access to protected information.
Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Improper Authentication

Weakness Enumeration

CWE-287CWE-836

Related Identifiers

BDU:2022-02199
CVE-2022-25155

Affected Products

Melsec L Series L02/06/26Cpu
Melsec L Series L26Cpu-(P)Bt
Melsec L Series Lj71C24
Melsec L Series Lj71E71-100
Melsec L Series Lj72Gf15-T2
Melsec Q Series Q03/04/06/13/26Udvcpu
Melsec Q Series Q03Udecpu
Melsec Q Series Q04/06/10/13/20/26/50/100Udehcpu
Melsec Q Series Q04/06/13/26Udpvcpu
Melsec Q Series Qj71C24N
Melsec Q Series Qj71E71-100
Melsec Q Series Qj72Br15
Melsec Q Series Qj72Lp25
Melsec Iq-F Series Fx5U(C) Cpu
Melsec Iq-F Series Fx5Uj Cpu
Melsec Iq-R Series R00/01/02Cpu
Melsec Iq-R Series R04/08/16/32/120(En)Cpu
Melsec Iq-R Series R08/16/32/120Psfcpu
Melsec Iq-R Series Rj71C24
Melsec Iq-R Series Rj71En71
Melsec Iq-R Series Rj71Gn11-Eip
Melsec Iq-R Series Rj71Gf11-T2
Melsec Iq-R Series Rj72Gf15-T2