CVE-2022-25156

Vulnerability

CVE-2022-25156 is a use of weak hash vulnerability (CWE-328) in Mitsubishi Electric MELSEC iQ-F, iQ-R, Q, and L series CPUs and communication modules, affecting all versions of a wide range of models [1][2]. The affected products use a weak hash algorithm to protect passwords, making it feasible for an attacker to reverse a password from a previously intercepted password hash [2]. The vulnerability exists in the authentication mechanism, where the hash is stored or transmitted instead of the original password.

Exploitation

A remote, unauthenticated attacker can eavesdrop on network traffic to capture a password hash sent or stored by the device [2]. The attacker then reverses the weak hash offline to recover the plaintext password [2][2]. No special privileges or user interaction are required beyond positioning themselves to observe authentication traffic [2].

Impact

Successful exploitation allows the attacker to log in to the affected product using the recovered plaintext password [1][2]. This could lead to disclosure of sensitive information (confidentiality impact) and potentially allow unauthorized control or configuration changes, depending on the attacker's subsequent actions [2].

Mitigation

As of the latest advisories, Mitsubishi Electric has not yet released a firmware fix for this vulnerability [1][2]. Users are advised to contact Mitsubishi Electric support for mitigation measures, and to restrict network access to affected devices, use firewalls, and monitor for suspicious activity [2]. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.