CVE-2022-29825
Description
Use of Hard-coded Password vulnerability in Mitsubishi Electric GX Works3 versions from 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions from 1.122C to 1.290C, and MT Works2 versions from 1.100E to 1.200J allows an unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users may view programs and project files or execute programs illegally.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hard-coded password in Mitsubishi Electric FA engineering software allows unauthenticated attackers to disclose sensitive information and execute programs.
Vulnerability
CVE-2022-29825 is a use of hard-coded password vulnerability in Mitsubishi Electric GX Works3 versions 1.000A to 1.090U, GT Designer3 Version1 (GOT2000) versions 1.122C to 1.290C, and MT Works2 versions 1.100E to 1.200J [1][2]. The affected software contains a hard-coded credential that can be leveraged by an unauthenticated attacker to access sensitive data.
Exploitation
An unauthenticated attacker can exploit this vulnerability remotely with low complexity [1]. No authentication or user interaction is required. The attacker can use the hard-coded password to connect to the engineering software and retrieve project files, view program logic, or execute arbitrary programs on the affected system.
Impact
Successful exploitation allows an unauthenticated attacker to disclose sensitive information, including project files and program code, and to execute programs without authorization [1][2]. This can lead to unauthorized control of MELSEC iQ-R/F/L series CPU modules and OPC UA server modules, compromising the confidentiality and integrity of the industrial control system.
Mitigation
Mitsubishi Electric has released updated versions that address this vulnerability. For GX Works3, versions 1.095Z and later are not affected by CVE-2022-29825 [1]. Users should upgrade to the latest versions of GX Works3, GT Designer3 Version1 (GOT2000), and MT Works2 as specified in the vendor's advisory [1][2]. No workarounds are documented; applying the updates is the recommended mitigation.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6>=1.100E, <=1.200J+ 1 more
- (no CPE)range: >=1.100E, <=1.200J
- (no CPE)range: from 1.100E to 1.200J
>=1.122C, <=1.290C+ 1 more
- (no CPE)range: >=1.122C, <=1.290C
- (no CPE)range: from 1.122C to 1.290C
>=1.000A, <=1.090U+ 1 more
- (no CPE)range: >=1.000A, <=1.090U
- (no CPE)range: from 1.000A to 1.090U
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU97244961/index.htmlmitregovernment-resource
- www.cisa.gov/uscert/ics/advisories/icsa-22-333-05mitregovernment-resource
News mentions
0No linked articles in our index yet.