CVE-2021-20601
Description
Improper input validation vulnerability in GOT2000 series GT27 model all versions, GOT2000 series GT25 model all versions, GOT2000 series GT23 model all versions, GOT2000 series GT21 model all versions, GOT SIMPLE series GS21 model all versions, and GT SoftGOT2000 all versions allows an remote unauthenticated attacker to write a value that exceeds the configured input range limit by sending a malicious packet to rewrite the device value. As a result, the system operation may be affected, such as malfunction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An unauthenticated remote attacker can bypass input-range validation on Mitsubishi Electric GOT HMIs and write arbitrary device values, causing system malfunction.
Vulnerability
An improper input validation vulnerability exists in the Mitsubishi Electric GOT2000 series (GT27, GT25, GT23, GT21 models — all versions), GOT SIMPLE series GS21 model all versions, and GT SoftGOT2000 all versions [1][2]. The product fails to validate input values against the configured range limits, allowing a remote attacker to write a value that exceeds the intended range [1][2].
Exploitation
An unauthenticated attacker with network access can send a malicious packet to the affected device [2]. The attack is remotely exploitable, requires no authentication, and has low attack complexity (AV:N/AC:L/PR:N/UI:N/S:U) [2]. No user interaction is needed [2].
Impact
Successful exploitation results in information tampering: the device value is rewritten to a value outside the configured input range limit [1][2]. This can cause the system to malfunction, potentially affecting critical manufacturing operations [2]. The CVSS v3 score is 7.5 (High), with impact on integrity (I:H) and no impact on confidentiality or availability [2].
Mitigation
As of the publication date (2021-11-23), no firmware patch is available. Mitel recommends the following workarounds: use a firewall or VPN when connecting to the Internet, restrict access to trusted networks and hosts, install antivirus on host computers, and enable the IP filter function on the GOT to limit allowable IP addresses [1][2].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- GOT2000 series GT27 model/GOT2000 series GT27 modeldescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- jvn.jp/vu/JVNVU98072504mitrex_refsource_MISC
- us-cert.cisa.gov/ics/advisories/icsa-21-320-02mitrex_refsource_MISC
- www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2021-018.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.