Unrated severityNVD Advisory· Published Feb 2, 2023· Updated Mar 26, 2025

CVE-2022-40268

Description

Improper Restriction of Rendered UI Layers or Frames vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.14.000 to 01.47.000, Mitsubishi Electric Corporation GOT2000 Series GT25 model versions 01.14.000 to 01.47.000 and Mitsubishi Electric Corporation GT SoftGOT2000 versions 1.265B to 1.285X allows a remote unauthenticated attacker to lead legitimate users to perform unintended operations through clickjacking.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Clickjacking vulnerability in Mitsubishi Electric GOT2000 series and GT SoftGOT2000 allows remote attackers to trick users into unintended operations.

Vulnerability

The vulnerability is a clickjacking issue (CWE-1021) in the GOT Mobile function of Mitsubishi Electric GOT2000 Series GT27 and GT25 models versions 01.14.000 to 01.47.000 and GT SoftGOT2000 versions 1.265B to 1.285X [1]. The application fails to properly restrict rendered UI layers or frames, allowing an attacker to overlay transparent elements.

Exploitation

An unauthenticated remote attacker can craft a malicious web page that embeds the GOT Mobile interface in a transparent iframe. By tricking a legitimate user into interacting with the page (e.g., clicking on seemingly innocuous elements), the attacker can cause the user to perform unintended actions on the GOT system.

Impact

Successful exploitation leads to the victim performing unintended operations on the GOT device, potentially altering HMI controls or data. The attacker does not gain direct access but can manipulate the user's actions.

Mitigation

Mitsubishi Electric has released updates: for GOT2000 series, update to version 01.48.000 or later; for GT SoftGOT2000, update to version 1.286A or later [1]. Users should apply the patches as per the vendor's advisory. No workarounds are mentioned.

References

JVNVU#91222434: 三菱電機製GOT2000シリーズおよびGT SoftGOT2000のGOT Mobile機能における複数の脆弱性

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Mitsubishielectric/GT27llm-create
Range: >=01.14.000, <=01.47.000
Mitsubishielectric/GT25llm-create
Range: >=01.14.000, <=01.47.000
Mitsubishielectric/GT SoftGOT2000llm-create2 versions
>=1.265B, <=1.285X+ 1 more
- (no CPE)range: >=1.265B, <=1.285X
- (no CPE)range: 1.265B to 1.285X
Mitsubishielectric/GOT2000 Series GT27cpe-rescue2 versions
01.14.000 to 01.47.000+ 1 more
- (no CPE)range: 01.14.000 to 01.47.000
- (no CPE)range: 01.14.000 to 01.47.000

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000