CVE-2022-29831

Vulnerability

CVE-2022-29831 is a use of hard-coded password vulnerability in Mitsubishi Electric GX Works3 versions 1.015R to 1.095Z [1][2]. The product stores credentials in plaintext or embeds a password that is not changeable, allowing an attacker who knows the hard-coded value to authenticate without authorization. This issue specifically affects the handling of project files for MELSEC safety CPU modules.

Exploitation

A remote unauthenticated attacker with network access to a system running an affected version of GX Works3 can exploit this flaw without any user interaction or special privileges [1]. By leveraging the publicly known or discoverable hard-coded password, the attacker can connect to the engineering software's communication interface and query project data.

Impact

Successful exploitation enables the attacker to obtain information about the project file for MELSEC safety CPU modules [1][2]. This disclosure of sensitive configuration data could aid in further attacks against the industrial control system. The compromise is limited to information disclosure; the attacker does not gain code execution or control of the CPU module itself.

Mitigation

Mitsubishi Electric has released GX Works3 version 1.096A and later which are not affected by this specific vulnerability [1]. Users should update to 1.096A or newer. If updating is not immediately possible, refer to vendor guidance for limiting network exposure and using firewall rules to block unauthorized access to the engineering station. No KEV listing or public workaround was provided in the available references.