CVE-2023-5247

Vulnerability

CVE-2023-5247 is an external control of file name or path (CWE-73) vulnerability in multiple Mitsubishi Electric FA Engineering Software Products. The affected products include GX Works3 (all versions), MELSOFT iQ AppPortal (all versions), MELSOFT Navigator (all versions), and Motion Control Setting (all versions, bundled with GX Works3) [1]. The vulnerability occurs when a legitimate user opens a specially crafted project file, allowing an attacker to control file names or paths during project processing [1].

Exploitation

An attacker must craft a malicious project file and convince a legitimate user to open it using an affected product [1]. The attacker does not require any special network position or authentication; user interaction is the primary attack vector. The exploitation does not involve a race condition or other timing-dependent steps [1].

Impact

Successful exploitation enables the attacker to execute malicious code within the context of the affected software [1]. This can result in information disclosure (theft of data), tampering and deletion of files, or a denial-of-service (DoS) condition [1]. The attacker gains the ability to perform arbitrary operations on the victim's system, limited by the privileges of the user running the FA engineering software [1].

Mitigation

Mitsubishi Electric recommends workarounds as no patch is announced for all versions [1]. These include installing antivirus software on the PC using the affected products, using the products only on trusted networks and blocking remote login from untrusted hosts/users, and using firewalls or VPNs to prevent unauthorized access when connecting to the internet [1]. Affected users should also restrict remote login to trusted users only [1].