CVE-2019-10976
Description
Mitsubishi Electric FR Configurator2, Version 1.16S and prior. This vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file (.frc2). Once a user opens the file, the attacker could read arbitrary files.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi Electric FR Configurator2 versions ≤1.16S are vulnerable to XXE via crafted .frc2 files, allowing arbitrary file read when opened.
Vulnerability
Mitsubishi Electric FR Configurator2 versions 1.16S and prior contain an improper restriction of XML external entity reference vulnerability (CWE-611) [1]. The XML parser does not sanitize input when parsing project or template files (.frc2), allowing XXE attacks [1].
Exploitation
An attacker can craft a malicious .frc2 file containing an external entity reference to an arbitrary file on the system. The victim must open the file using FR Configurator2 [1]. No special privileges or network access are required; the attack vector is local via user interaction [1].
Impact
Successful exploitation allows the attacker to read arbitrary files from the local file system, leading to information disclosure [1]. The CVSS v3 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H) indicates high confidentiality impact [1].
Mitigation
Mitsubishi Electric has released version 1.17T to address this vulnerability. Users should update to the latest version available from the Mitsubishi Electric website [1]. No workarounds are documented in the advisory.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.16S
- Mitsubishi Electric/Mitsubishi Electric FR Configurator2v5Range: Version 1.16S and prior
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.us-cert.gov/ics/advisories/icsa-19-204-01mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.