VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 30, 2020· Updated Aug 4, 2024

CVE-2020-5602

CVE-2020-5602

Description

Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Multiple Mitsubishi Electric FA Engineering Software products are vulnerable to XML External Entity (XXE) attacks via specially crafted project files, potentially leading to local file disclosure.

Vulnerability

CVE-2020-5602 is an XML External Entity (XXE) vulnerability (CWE-611) present in multiple Mitsubishi Electric FA Engineering Software products, including CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, and many others (see reference [1] for full list). The vulnerability arises from improper restriction of XML external entity references when processing XML data.

Exploitation

An attacker can exploit this vulnerability by convincing a user to open a specially crafted project file or settings data file. No authentication or user interaction beyond opening the file is required. The attack vector is local (AV:L) and requires no privileges (PR:N). The attacker does not need any special network position; the malicious file can be delivered via email, download, or other means.

Impact

Successful exploitation allows an attacker to read arbitrary files on the local system where the affected software is running. The CVSS v3 base score is 4.0 (Low), with confidentiality impact rated as Low, and no impact on integrity or availability. The attacker gains access to file contents that the software process can read, potentially exposing sensitive information.

Mitigation

Mitsubishi Electric has released updated versions of the affected software to address this vulnerability. Users should update to the latest versions as specified in the vendor's advisory [1]. No workarounds are documented; the recommended mitigation is to apply the patches. As of the publication date (2020-06-30), fixed versions are available.

References
  1. Multiple vulnerabilities in Mitsubishi Electoric FA Engineering Software

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

4
  • Mitsubishielectric/CPU Module Logging Configuration Toolllm-fuzzy
    Range: <=1.94Y
  • Mitsubishielectric/FR Configurator2llm-fuzzy
    Range: <=1.010L
  • Mitsubishielectric/EM Software Development Kit (EM Configurator)llm-fuzzy
    Range: <=1.010L
  • Mitsubishi Electric Corporation/Mitsubishi Electoric FA Engineering Softwarev5
    Range: CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.