CVE-2022-25164
Description
Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and Mitsubishi Electric MX OPC UA Module Configurator-R versions 1.08J and prior allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated attackers can gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cleartext storage of sensitive information in Mitsubishi GX Works3 and MX OPC UA Module Configurator-R allows remote unauthenticated attackers to disclose credentials and gain unauthorized access to MELSEC CPU and OPC UA server modules.
Vulnerability
Mitsubishi Electric GX Works3 versions from 1.000A to 1.095Z and MX OPC UA Module Configurator-R versions 1.08J and prior store sensitive information in cleartext [1][2]. This cleartext storage vulnerability (CVE-2022-25164) exposes credentials or other sensitive data that are used to authenticate to MELSEC iQ-R/F/L series CPU modules and the MELSEC iQ-R series OPC UA server module. The vulnerability is present in the engineering software when it handles authentication data for communication with programmable logic controllers (PLCs).
Exploitation
An attacker with network access to a system running an affected version of GX Works3 or MX OPC UA Module Configurator-R can exploit this vulnerability remotely without authentication [1]. No special privileges or user interaction is required. The attacker can read the cleartext sensitive information stored by the software, for example by inspecting configuration files, memory, or network traffic that exposes the unencrypted data [1].
Impact
Successful exploitation allows a remote unauthenticated attacker to disclose sensitive information, specifically credentials used to access MELSEC CPU modules and the MELSEC OPC UA server module [1]. The attacker can then use these credentials to gain unauthorized access to the MELSEC CPU module and the MELSEC OPC UA server module, potentially allowing them to view and execute programs or view project files without proper authorization [1]. This leads to a compromise of confidentiality and integrity of the affected control system.
Mitigation
Mitsubishi Electric has released updated versions to address this vulnerability. For GX Works3, the fixed versions are 1.096A and later (note that version 1.096A and later are not affected by CVE-2022-25164) [1]. For MX OPC UA Module Configurator-R, the fix is incorporated in version 1.09A or later [1]. Users should update to the latest versions of the software as provided by Mitsubishi Electric. No workaround is detailed in the available references. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4<=1.08J+ 1 more
- (no CPE)range: <=1.08J
- (no CPE)range: 1.08J and prior
- Range: 1.000A - 1.095Z
- Range: from 1.000A to 1.095Z
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU97244961/index.htmlmitregovernment-resource
- www.cisa.gov/uscert/ics/advisories/icsa-22-333-05mitregovernment-resource
News mentions
0No linked articles in our index yet.