CVE-2021-20590
Description
Improper authentication vulnerability in GOT2000 series GT27 model VNC server versions 01.39.010 and prior, GOT2000 series GT25 model VNC server versions 01.39.010 and prior, GOT2000 series GT21 model GT2107-WTBD VNC server versions 01.40.000 and prior, GOT2000 series GT21 model GT2107-WTSD VNC server versions 01.40.000 and prior, GOT SIMPLE series GS21 model GS2110-WTBD-N VNC server versions 01.40.000 and prior and GOT SIMPLE series GS21 model GS2107-WTBD-N VNC server versions 01.40.000 and prior allows a remote unauthenticated attacker to gain unauthorized access via specially crafted packets when the "VNC server" function is used.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi GOT2000 and GOT SIMPLE series VNC servers allow remote authentication bypass via specially crafted packets.
Vulnerability
An improper authentication vulnerability (CWE-287) exists in the VNC server function of Mitsubishi GOT2000 series (GT27, GT25, GT21) and GOT SIMPLE series (GS21) HMI devices. Affected versions: GT27 and GT25 VNC server versions 01.39.010 and prior; GT2107-WTBD and GT2107-WTSD VNC server versions 01.40.000 and prior; GS2110-WTBD-N and GS2107-WTBD-N VNC server versions 01.40.000 and prior. The vulnerability is only exploitable when the VNC server function is enabled [1].
Exploitation
A remote unauthenticated attacker can exploit this vulnerability by sending specially crafted packets to the VNC server. No prior authentication or user interaction is required. The attacker triggers the authentication bypass by crafting packets that circumvent the password verification process [1].
Impact
Successful exploitation allows the attacker to gain unauthorized access to the VNC server, bypassing password authentication. This could lead to disclosure of sensitive information or unauthorized control of the HMI device [1].
Mitigation
Mitsubishi Electric has released updates to address the vulnerability. Users should update to the following fixed VNC server versions: for GT27 and GT25, version 01.40.000 or later; for GT21 and GS21 models, versions after 01.40.000. Refer to the vendor's advisory for detailed update instructions [1]. If updating is not immediately possible, disabling the VNC server function is recommended as a workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=01.39.010
- Range: <=01.40.000
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- jvn.jp/vu/JVNVU97615777/index.htmlmitrex_refsource_CONFIRM
- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-001_en.pdfmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.