VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 20, 2023· Updated Aug 3, 2024

Authentication Bypass Vulnerability in Web Server Function on MELSEC Series

CVE-2022-40267

Description

Mitsubishi Electric MELSEC iQ-F and iQ-R series web server authentication uses a predictable PRNG seed, allowing a remote unauthenticated attacker to guess random numbers and bypass authentication.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mitsubishi Electric MELSEC iQ-F and iQ-R series web server authentication uses a predictable PRNG seed, allowing a remote unauthenticated attacker to guess random numbers and bypass authentication.

Vulnerability

The WEB server function in multiple Mitsubishi Electric MELSEC iQ-F and iQ-R series devices uses a pseudo-random number generator (PRNG) with a predictable seed, which allows an attacker to calculate authentication tokens. This CWE-337 vulnerability affects FX5U, FX5UC, FX5UJ, FX5S, and certain R series CPUs with specific serial numbers and firmware versions prior to the fixed releases detailed in the vendor advisories [1][2].

Exploitation

A remote unauthenticated attacker can exploit this vulnerability without any prior access or credentials. By observing several random numbers used in authentication handshakes, the attacker can determine the PRNG seed and predict subsequent values. This enables the attacker to calculate valid authentication tokens and access the web server interface without legitimate credentials [1][2].

Impact

Successful exploitation allows the attacker to bypass authentication and gain unauthorized access to the WEB server function of the affected PLCs. This could lead to unauthorized reading or modification of device configuration, program data, or operational parameters, potentially disrupting industrial control processes [1][2].

Mitigation

Mitsubishi Electric recommends users update the affected devices to fixed firmware versions - for MELSEC iQ-F Series to version 1.281 or later, and for MELSEC iQ-R Series R00/01/02CPU to version 33B or later, R04/08/16/32/120(EN)CPU to version 67 or later. No workaround is available; users should also consider network segmentation and restrict access to the web server to trusted hosts only [1][2].

References
  1. JVNVU#99673580: 三菱電機製MELSECシリーズのWEBサーバ機能における認証回避の脆弱性
  2. Mitsubishi Electric MELSEC iQ-F, iQ-R Series (Update B) | CISA

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

68
  • Mitsubishielectric/MELSEC iQ-R Seriesllm-fuzzy14 versions
    (expand)+ 13 more
    • (no CPE)
    • (no CPE)range: versions 33 and prior
    • (no CPE)range: versions 33 and prior
    • (no CPE)range: versions 33 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
    • (no CPE)range: versions 66 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Seres FX5U-80MT/ESv5
    Range: serial number 17X**** or later, and versions 1.280 and prior
  • Mitsubishielectric/MELSEC iQ-F Series FX5-ENETcpe-rescue47 versions
    1.003 and prior+ 46 more
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: 1.003 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: serial number 17X**** or later, and versions 1.280 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
    • (no CPE)range: 1.043 and prior
    • (no CPE)range: 1.042 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MR/DS-TSv5
    Range: versions 1.280 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSSv5
    Range: serial number 17X**** or later, and versions 1.280 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSS-TSv5
    Range: versions 1.280 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DS-TSv5
    Range: versions 1.280 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-64MT/DSSv5
    Range: serial number 17X**** or later, and versions 1.280 and prior
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-96MT/DSSv5
    Range: serial number 17X**** or later, and versions 1.280 and prior

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.