CVE-2021-20606

Vulnerability

An out-of-bounds read vulnerability (CWE-125) exists in Mitsubishi Electric GX Works2 versions 1.606G and prior, MELSOFT Navigator versions 2.84N and prior, and EZSocket versions 5.4 and prior. When a user opens a specially crafted project file, the software reads data outside the intended buffer boundary, leading to a denial-of-service condition. [1][2]

Exploitation

An attacker must craft a malicious project file and convince a valid user to open it using the affected software. No authentication or special network position is required; the attack vector is local and requires user interaction. The user simply opening the file triggers the out-of-bounds read. [1][2]

Impact

Successful exploitation causes the software to enter a denial-of-service (DoS) state, potentially crashing or becoming unresponsive. The CVSS v3 base score is 5.5 (AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), indicating high availability impact but no confidentiality or integrity compromise. [1][2]

Mitigation

Mitsubishi Electric has released updates: GX Works2 version 1.610L and later, MELSOFT Navigator version 2.86Q and later, and EZSocket version 5.5 and later. Users should apply these updates from the vendor's official channels. No workaround is provided; updating is the recommended mitigation. [1][2]