CVE-2022-25163

Vulnerability

An improper input validation vulnerability (CWE-20) exists in the Web function of Mitsubishi Electric MELSEC-Q Series QJ71E71-100 (serial number first 5 digits "24061" or prior), MELSEC-L Series LJ71E71-100 (serial number first 5 digits "24061" or prior), and the REST server function of MELSEC iQ-R Series RD81MES96N (firmware version "08" or prior). The vulnerability is triggered when specially crafted packets are received by the affected device [1].

Exploitation

An unauthenticated remote attacker can send specially crafted packets to the target device without needing any prior authentication or network position beyond network access. The attacker must be able to reach the network interface of the affected unit and send the malicious payload. No user interaction is required [1].

Impact

Successful exploitation can cause a denial of service (DoS) condition on the device or allow the attacker to execute arbitrary malicious code. The impact compromises availability and potentially integrity and confidentiality, depending on the attacker's payload [1].

Mitigation

As of the publication date (2022-06-02), the vendor Mitsubishi Electric has not released a fix or workaround in the available references. Users are advised to contact Mitsubishi Electric for updated firmware or mitigation guidance. No version beyond the affected serial numbers or firmware version has been announced as fixed [1].