CVE-2018-16060
Description
Mitsubishi Electric SmartRTU devices are vulnerable to directory listing and source code disclosure via direct requests to the /web URI.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi Electric SmartRTU devices are vulnerable to directory listing and source code disclosure via direct requests to the /web URI.
Vulnerability
Mitsubishi Electric Europe B.V. SmartRTU devices are susceptible to sensitive information disclosure. Attackers can obtain directory listings and source code by sending a direct HTTP GET request to the /web URI. The vulnerability affects the ME RTU product line [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by crafting a specific HTTP GET request to the /web endpoint of the affected device. No user interaction or special privileges are required. The attacker needs network access to the device's web interface [1].
Impact
Successful exploitation allows an attacker to retrieve sensitive information, including directory listings and the source code of the application. This information could potentially be used to discover further vulnerabilities or gain deeper insights into the system's configuration and functionality.
Mitigation
No specific patch or fixed version information is available in the provided references. Users are advised to restrict network access to the affected devices and monitor for any official advisories from Mitsubishi Electric or INEA regarding this vulnerability. The vulnerability was disclosed in October 2021, but the description does not mention if a fix has been released [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mitsubishi Electric Europe B.V./SmartRTU devicesdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The web server improperly exposes archive files containing source code and other sensitive information."
Attack vector
A remote attacker can obtain sensitive information by sending a direct HTTP GET request to the \"/web\" URI on the affected device [ref_id=1]. This request bypasses authentication and directly accesses the web.tar archive, which contains source code and other sensitive data [ref_id=1]. The server responds with the archive file, allowing the attacker to download its contents.
Affected code
The vulnerability lies in the web server's handling of requests to the \"/web\" URI. Specifically, the server is configured to serve the \"web.tar\" file directly when this URI is accessed, without proper authentication or access controls [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. Remediation guidance is not available in the provided information.
Preconditions
- networkThe attacker must have network access to the target device.
Reproduction
# PoC # Request
GET /web HTTP/1.1 Host: **.**.**.*** Accept-Encoding: gzip, deflate Accept: */* Accept-Language: en User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Connection: close
# Response
HTTP/1.1 200 OK Date: Wed, 08 Aug 2018 08:09:53 GMT Server: Apache/2.4.7 (Ubuntu) Content-Location: web.tar Vary: negotiate TCN: choice Last-Modified: Wed, 19 Nov 2014 09:40:36 GMT ETag: "93800-5083300f58d00;51179459a2c00" Accept-Ranges: bytes Content-Length: 604160 Connection: close Content-Type: application/x-tar
Reference :
https://drive.google.com/open?id=1QMHwTnBbIqrTkR0NEpnTKssYdi8vRsHH [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.