CVE-2022-23128

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01) ICONICS GENESIS64 versions 10.95.3 to 10.97 ICONICS Hyper Historian versions 10.95.3 to 10.97 ICONICS AnalytiX versions 10.95.3 to 10.97 ICONICS MobileHMI versions 10.95.3 to 10.97

Description The issue is related to an incomplete list of disallowed inputs, allowing a remote unauthenticated attacker to bypass authentication and gain unauthorized access to the products by sending specially crafted WebSocket packets to the FrameWorX server. This can be done without proper authentication, potentially leading to unauthorized access.

Recommendations For Mitsubishi Electric MC Works64 versions 4.00A (10.95.201.23) to 4.04E (10.95.210.01), update to a version outside of this range to mitigate the risk. For ICONICS GENESIS64 versions 10.95.3 to 10.97, consider disabling the FrameWorX server functionality until a patch is available. For ICONICS Hyper Historian versions 10.95.3 to 10.97, restrict access to the FrameWorX server to minimize the risk of exploitation. For ICONICS AnalytiX versions 10.95.3 to 10.97, avoid using the WebSocket protocol in the affected API endpoint until the issue is resolved. For ICONICS MobileHMI versions 10.95.3 to 10.97, as a temporary workaround, consider disabling the FrameWorX server function until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.