CVE-2023-4699

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric Corporation MELSEC-F Series CPU modules (affected versions not specified) Mitsubishi Electric Corporation MELSEC iQ-F Series (affected versions not specified) Mitsubishi Electric Corporation MELSEC iQ-R series CPU modules (affected versions not specified) Mitsubishi Electric Corporation MELSEC iQ-R series (affected versions not specified) Mitsubishi Electric Corporation MELSEC iQ-L series (affected versions not specified) Mitsubishi Electric Corporation MELSEC Q series (affected versions not specified) Mitsubishi Electric Corporation MELSEC-L series (affected versions not specified) Mitsubishi Electric CNC M800V/M80V series (affected versions not specified) Mitsubishi Electric CNC M800/M80/E80 series (affected versions not specified) Mitsubishi Electric CNC M700V/M70V/E70 series (affected versions not specified)

Description The issue is related to insufficient authentication for critical functions, allowing a remote unauthenticated attacker to execute arbitrary commands by sending specific packets to the affected products. This could lead to disclosure or tampering with information by reading or writing control programs, or cause a denial-of-service (DoS) condition on the products by resetting the memory contents of the products to factory settings or resetting the products remotely.

Recommendations For Mitsubishi Electric Corporation MELSEC-F Series CPU modules, consider disabling remote access until a patch is available. For Mitsubishi Electric Corporation MELSEC iQ-F Series, restrict access to critical functions to minimize the risk of exploitation. For Mitsubishi Electric Corporation MELSEC iQ-R series CPU modules, MELSEC iQ-R series, MELSEC iQ-L series, MELSEC Q series, MELSEC-L series, Mitsubishi Electric CNC M800V/M80V series, Mitsubishi Electric CNC M800/M80/E80 series, and Mitsubishi Electric CNC M700V/M70V/E70 series, avoid using the affected products for critical operations until a fix is provided. At the moment, there is no information about a newer version that contains a fix for this vulnerability.