CVE-2022-25159

Vulnerability

The vulnerability is an authentication bypass by capture-replay in Mitsubishi Electric MELSEC iQ-F series (FX5U(C) CPU, FX5UJ CPU all versions), MELSEC iQ-R series (R00/01/02CPU, R04/08/16/32/120(EN)CPU, R08/16/32/120SFCPU, R08/16/32/120PCPU, R08/16/32/120PSFCPU, R16/32/64MTCPU, RJ71C24(-R2/R4), RJ71EN71, RJ72GF15-T2 all versions), MELSEC Q series (Q03/04/06/13/26UDVCPU, Q04/06/13/26UDPVCPU, QJ71C24N(-R2/R4), QJ71E71-100 all versions), and MELSEC L series (L02/06/26CPU(-P), L26CPU-(P)BT, LJ71C24(-R2), LJ71E71-100, LJ72GF15-T2 all versions) as listed in the advisories [1][2]. The affected products accept replayed authentication data, allowing an attacker to bypass authentication.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by first eavesdropping on network traffic to capture authentication data (e.g., password hash) and then replaying that captured data to the target device. The attack requires network access to the affected product's communication interface.

Impact

Successful exploitation allows the attacker to log in to the affected product with the privileges of the legitimate user whose authentication data was captured. This can lead to unauthorized access, potential alteration of device configuration, and disclosure of sensitive information.

Mitigation

As of the publication date (2022-04-01), no firmware updates or patches have been released to address this vulnerability; all versions of the affected products are vulnerable. Users are advised to implement network segmentation, restrict network access to trusted hosts, and monitor for suspicious network activity. Refer to the vendor and CISA advisories for further guidance [1][2].