VYPR
← All advisories
Unrated severityNVD Advisory· Published Sep 20, 2023· Updated Sep 24, 2024

Malicious Code Execution Vulnerability in FA Engineering Software Products

CVE-2023-4088

Description

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mitsubishi Electric FA engineering software products have incorrect default permissions when installed in non-default folders, allowing local attackers to execute arbitrary code.

Vulnerability

Incorrect default permissions (CWE-276) exist in many Mitsubishi Electric FA engineering software products when installed in a folder other than the default installation folder [1][2]. Affected products include AL-PCS/WIN-E, CPU Module Logging Configuration Tool, EZSocket, FR Configurator2, FX Configurator-EN, FX Configurator-EN-L, FX Configurator-FP, GT Designer3 Version1 (GOT1000), GT Designer3 Version1 (GOT2000), GT SoftGOT1000 Version3, GT SoftGOT2000 Version1, GX LogViewer, GX Works2, GX Works3, MELSOFT FieldDeviceConfigurator, MELSOFT iQ AppPortal, MELSOFT MaiLab, MELSOFT Navigator, MELSOFT Update Manager, MX Component, MX Sheet, PX Developer, RT ToolBox3, RT VisualBox, Data Transfer, and Data Transfer Classic [2]. All versions of these products are impacted [2].

Exploitation

An attacker with local access to the system and no authentication can exploit this vulnerability when the software is installed in a non-default folder [1][2]. The incorrect permissions allow the attacker to place or modify executable files in the installation directory, leading to arbitrary code execution. The attack complexity is low, and no user interaction is required [2].

Impact

Successful exploitation can result in information disclosure, tampering with or deletion of information, or a denial-of-service (DoS) condition [1][2]. The CVSS v3 base score is 9.3 (Critical) with the vector string AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating a significant impact on confidentiality, integrity, and availability [2].

Mitigation

Mitsubishi Electric recommends the following workarounds: install the software in the default installation folder, or if a non-default folder is required, ensure it is only writable by administrators [1][2]. No patches have been released as of the advisory dates; affected users should implement the workarounds to mitigate the risk [1][2]. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. JVNVU#96447193: 三菱電機製複数のFAエンジニアリングソフトウェア製品におけるインストール時の不適切なファイルアクセス権設定の脆弱性
  2. Mitsubishi Electric FA Engineering Software (Update A) | CISA

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

27

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.