CVE-2020-5603
Description
Uncontrolled resource consumption vulnerability in Mitsubishi Electoric FA Engineering Software (CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier) allows an attacker to cause a denial of service (DoS) condition attacks via unspecified vectors.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi FA Engineering Software (multiple products) vulnerable to denial of service via specially crafted XML, leading to uncontrolled resource consumption.
Vulnerability
This vulnerability is an uncontrolled resource consumption (CWE-400) issue present in a wide range of Mitsubishi Electric FA Engineering Software products, including CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, RT ToolBox3 Ver. 1.50C and earlier [1]. The flaw arises from improper processing of XML data, which can be exploited to cause a denial-of-service condition [1].
Exploitation
An attacker does not require any authentication or user interaction to trigger the vulnerability; it can be exploited by convincing a user to open a specially crafted project file or settings data file [1]. The attack vector is local, meaning the attacker must deliver the malicious file to the target system and have the user open it in the affected application [1]. The exploitation does not depend on network access or privileges, but relies on file execution by the victim.
Impact
Successful exploitation leads to a denial-of-service condition, where the targeted application becomes unresponsive or crashes, causing a high availability impact. The CVSS v3 base score for this vulnerability is 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) [1]. There is no impact on confidentiality or integrity from this specific CVE [1].
Mitigation
Mitsubishi Electric has not released an official patch announcement in the available references, and no fixed versions are listed as of the publication date [1]. Users are advised to follow the vendor's guidance, which may include avoiding opening untrusted project files and applying any future updates from Mitsubishi Electric. No workaround details are provided in the public advisories [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: <=1.010L
- Range: <=1.94Y
- Range: <=1.010L
- Mitsubishi Electric Corporation/Mitsubishi Electoric FA Engineering Softwarev5Range: CPU Module Logging Configuration Tool Ver. 1.94Y and earlier, CW Configurator Ver. 1.010L and earlier, EM Software Development Kit (EM Configurator) Ver. 1.010L and earlier, GT Designer3 (GOT2000) Ver. 1.221F and earlier, GX LogViewer Ver. 1.96A and earlier, GX Works2 Ver. 1.586L and earlier, GX Works3 Ver. 1.058L and earlier, M_CommDTM-HART Ver. 1.00A, M_CommDTM-IO-Link Ver. 1.02C and earlier, MELFA-Works Ver. 4.3 and earlier, MELSEC-L Flexible High-Speed I/O Control Module Configuration Tool Ver.1.004E and earlier, MELSOFT FieldDeviceConfigurator Ver. 1.03D and earlier, MELSOFT iQ AppPortal Ver. 1.11M and earlier, MELSOFT Navigator Ver. 2.58L and earlier, MI Configurator Ver. 1.003D and earlier, Motion Control Setting Ver. 1.005F and earlier, MR Configurator2 Ver. 1.72A and earlier, MT Works2 Ver. 1.156N and earlier, RT ToolBox2 Ver. 3.72A and earlier, and RT ToolBox3 Ver. 1.50C and earlier
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/en/vu/JVNVU90307594/index.htmlmitrex_refsource_MISC
- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-004_en.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.