CVE-2022-29827

Vulnerability

CVE-2022-29827 is a use of hard-coded cryptographic key vulnerability in Mitsubishi Electric GX Works3. Affected versions are 1.000A through 1.011M, 1.015R through 1.087R, 1.090U, 1.095Z, and 1.096A and later [1][2]. The vulnerability allows a remote unauthenticated attacker to disclose sensitive information due to the static key used for cryptographic operations.

Exploitation

An attacker does not require authentication or any special network position; they only need network access to the affected system [1]. The hard-coded key can be extracted or used directly to decrypt or access protected data, enabling the attacker to view program files and project files without any user interaction or privileges.

Impact

Successful exploitation allows an unauthenticated attacker to view programs and project files, and potentially execute programs illegally [1][2]. This compromises the confidentiality of sensitive engineering data and could lead to unauthorized control over MELSEC iQ-R/F/L series CPU modules and OPC UA server modules, depending on the version and configuration [1].

Mitigation

Mitsubishi Electric has released updates; users should upgrade GX Works3 to a version that addresses the vulnerability. Refer to the vendor advisory and the affected versions list for the exact fixed version [1][2]. For a complete list of affected products and specific fixes, consult the CISA advisory and Japanese JVN page. If upgrading is not possible, restrict network access to the software and implement network segmentation as a workaround.