CVE-2022-29828

Vulnerability

CVE-2022-29828 is a use of hard-coded cryptographic key vulnerability in Mitsubishi Electric GX Works3, versions from 1.000A to 1.096A and later [1][2]. The product embeds a static cryptographic key that is used for communication or data protection, making it possible for an attacker to decrypt or bypass encryption without possessing any secret [1]. The affected versions span multiple update branches, with later versions still including the flaw [1].

Exploitation

An unauthenticated remote attacker can exploit the hard-coded key without any prior access or user interaction [1]. The attacker needs only network connectivity to a system running a vulnerable GX Works3 version [1]. By extracting or reverse-engineering the static key from the software, the attacker can decrypt intercepted communications or authenticate to protected functions [1]. No special privileges or physical access are required.

Impact

Successful exploitation allows the attacker to disclose sensitive information, including viewing project files, programs, and possibly executing programs illegally on the affected device [1]. This can lead to complete compromise of automation project confidentiality and integrity, potentially disrupting industrial control processes [1]. The CVSS v3 base score is 9.1 (Critical) due to the low attack complexity and remote exploitability [1].

Mitigation

Mitsubishi Electric has released updates for GX Works3 to address this vulnerability; users should upgrade to the latest fixed version as specified by the vendor [1]. The CISA advisory recommends applying the vendor-provided patches and following general security practices such as network segmentation and minimizing exposure to untrusted networks [1]. No workaround is described; the fix is to update the software [1]. Affected versions range from 1.000A onward, so all installations should be reviewed [1].