CVE-2022-29832
Description
Cleartext Storage of Sensitive Information in Memory vulnerability in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions and GX Developer versions 8.40S and later allows a remote unauthenticated attacker to disclose sensitive information. As a result, unauthenticated users could obtain information about the project file for MELSEC safety CPU modules or project file for MELSEC Q/FX/L series with security setting.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cleartext storage of sensitive information in memory in multiple Mitsubishi Electric engineering software products allows remote unauthenticated attackers to disclose project file data.
Vulnerability
A cleartext storage of sensitive information in memory vulnerability exists in Mitsubishi Electric Corporation GX Works3 versions 1.015R and later, GX Works2 all versions, and GX Developer versions 8.40S and later [1][2]. The vulnerability allows sensitive data related to project files for MELSEC safety CPU modules or project files with security settings for MELSEC Q/FX/L series to be stored in an unencrypted manner in memory [1]. Affected software includes GX Works3 (versions 1.015R through 1.087R, 1.090U, 1.095Z, 1.096A and later), GX Works2 (all versions), and GX Developer (8.40S or later) [1].
Exploitation
An unauthenticated remote attacker can exploit this vulnerability by gaining access to the memory of the engineering software while it is running or in a crash dump. No authentication or user interaction is required for the attacker to retrieve the cleartext sensitive information from the affected process's memory [1]. The attack complexity is low and can be performed remotely without special network position beyond reachability to the device running the software [1].
Impact
Successful exploitation allows an unauthenticated remote attacker to disclose sensitive information contained in project files for MELSEC safety CPU modules or project files for MELSEC Q/FX/L series that have security settings applied [1]. This information disclosure could compromise the confidentiality of industrial control system configuration and security credentials, potentially enabling further attacks on the control network [1].
Mitigation
Mitsubishi Electric has released updated versions of GX Works3 to address this vulnerability, though specific fixed version numbers were not provided in the available references. Users should contact Mitsubishi Electric support or consult the vendor's advisory for the latest patched releases [1]. For GX Works2 and GX Developer, users are advised to upgrade to the latest supported versions or apply any available patches as recommended by the vendor. No workarounds have been disclosed, and this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
6- Range: >= 1.015R
(expand)+ 2 more
- (no CPE)
- (no CPE)range: all versions
- (no CPE)range: 1.015R and later
- Range: >= 8.40S
- Mitsubishi Electric Corporation/GX Developerv5Range: 8.40S and later
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-015_en.pdfmitrevendor-advisory
- jvn.jp/vu/JVNVU97244961mitregovernment-resource
- www.cisa.gov/uscert/ics/advisories/icsa-22-333-05mitregovernment-resource
News mentions
0No linked articles in our index yet.