CVE-2023-2846

Name of the Vulnerable Software and Affected Versions MELSEC iQ-F Series versions FX3U, FX3UC, FX3G, FX3GC-32MT, FX3GE, FX3GA, FX3S, and FX3SA

Description The issue is related to an authentication bypass vulnerability using a capture-replay attack on intercepted parameters. This could allow a remote attacker to bypass security restrictions and reset login settings by sending specially crafted packets. The vulnerability affects the Ethernet modules FX3U-ENET-ADP and FX3U-ENET(-L) of the MELSEC iQ-F Series programmable logic controllers.

Recommendations For MELSEC iQ-F Series versions FX3U, FX3UC, FX3G, FX3GC-32MT, FX3GE, FX3GA, FX3S, and FX3SA, consider disabling the Ethernet modules FX3U-ENET-ADP and FX3U-ENET(-L) as a temporary workaround until a patch is available. Restrict access to the affected modules to minimize the risk of exploitation. Avoid using the affected products for critical operations until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.