CVE-2020-5596
Description
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a malicious program via a specially crafted packet.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session fixation in Mitsubishi Electric GOT2000 series TCP/IP stack allows remote attackers to hijack sessions and stop network functions or execute arbitrary code.
Vulnerability
CVE-2020-5596 is a session fixation vulnerability (CWE-384) in the TCP/IP function of the CoreOS firmware on Mitsubishi Electric GOT2000 series HMI models GT27, GT25, and GT23 running CoreOS version -Y and earlier [1]. The flaw lies in how the session management handles authentication tokens, allowing reuse of unchanging session identifiers across connections.
Exploitation
An attacker on the network can craft a specially designed TCP/IP packet that establishes a new session with a known identifier and tricks a legitimate user or device into authenticating to that session [1]. No prior authentication is required, but the attacker must be able to inject packets into the network segment reachable by the GOT2000 unit.
Impact
Successful exploitation enables the attacker to hijack an active session, potentially stopping the network functions of the GOT2000 or executing a malicious program on the device [1]. This can lead to denial of service (DoS) and arbitrary code execution within the context of the CoreOS firmware.
Mitigation
Mitsubishi Electric has released the fix in CoreOS version Z and later, which is available via MELSOFT GT Designer3(2000) version 1.240A and later [1]. Users should update the CoreOS by following the vendor's instructions, and as a workaround restrict network access from untrusted hosts or networks to reduce exposure [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<= version -Y+ 1 more
- (no CPE)range: <= version -Y
- (no CPE)range: CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/vu/JVNVU95413676/index.htmlmitrex_refsource_MISC
- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-005_en.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.