A vulnerability classified as problematic was found in Mitsubishi Electric MELSEC iQ-R (affected version unknown). This vulnerability affects an unknown functionality. The manipulation with an unknown input leads to a missing password field masking vulnerability. The CWE definition for the vulnerability is CWE-549. The product does not mask passwords during entry, increasing the potential for attackers to observe and capture passwords. As an impact it is known to affect confidentiality. CVE summarizes:

Missing Password Field Masking vulnerability in Mitsubishi Electric Corporation EtherNet/IP configuration tools SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD allows a remote unauthenticated attacker to know the password for MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP. This vulnerability results in authentication bypass vulnerability, which allows the attacker to access MELSEC iQ-R Series EtherNet/IP module RJ71EIP91 and MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP via FTP.

The weakness was presented 06/02/2023. The advisory is available at jvn.jp. This vulnerability was named CVE-2023-2062 since 04/14/2023. The technical details are unknown and an exploit is not available. This vulnerability is assigned to T1552 by the MITRE ATT&CK project.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

Productinfo

Vendor

• Mitsubishi Electric

Name

• MELSEC iQ-R

License

• commercial

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion