VYPR
← All advisories
Unrated severityNVD Advisory· Published Jan 30, 2024· Updated Sep 19, 2025

CVE-2023-6942

CVE-2023-6942

Description

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation EZSocket versions 3.0 to 5.92, GT Designer3 Version1(GOT1000) versions 1.325P and prior, GT Designer3 Version1(GOT2000) versions 1.320J and prior, GX Works2 versions 1.11M to 1.626C, GX Works3 versions 1.106L and prior, MELSOFT Navigator versions 1.04E to 2.102G, MT Works2 versions 1.190Y and prior, MX Component versions 4.00A to 5.007H and MX OPC Server DA/UA all versions allows a remote unauthenticated attacker to bypass authentication by sending specially crafted packets and connect to the products illegally.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mitsubishi Electric FA engineering software products contain a missing authentication vulnerability (CWE-306) allowing unauthenticated remote attackers to bypass authentication via crafted packets.

Vulnerability

A Missing Authentication for Critical Function vulnerability (CWE-306) exists in multiple Mitsubishi Electric FA engineering software products. The affected products are: EZSocket versions 3.0 to 5.92; GT Designer3 Version1 (GOT1000) versions 1.325P and prior; GT Designer3 Version1 (GOT2000) versions 1.320J and prior; GX Works2 versions 1.11M to 1.626C; GX Works3 versions 1.106L and prior; MELSOFT Navigator versions 1.04E to 2.102G; MT Works2 versions 1.190Y and prior; MX Component versions 4.00A to 5.007H; and MX OPC Server DA/UA (software packaged with MC Works64) all versions [1][2]. The products fail to properly authenticate critical functions, allowing an attacker to bypass authentication.

Exploitation

A remote unauthenticated attacker can exploit this vulnerability by sending specially crafted packets to an affected product. No authentication or prior access is required; the attack can be performed over a network with low complexity [2]. The attacker does not need any user interaction or special privileges [2]. By sending the crafted packets, the attacker can bypass the product's authentication mechanism and establish an unauthorized connection to the software.

Impact

Successful exploitation allows an attacker to connect to the affected products illegally, bypassing all authentication controls. According to the CVSS vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), the attack compromises integrity (I:H) but does not directly impact confidentiality or availability [2]. However, combined with other vulnerabilities (CVE-2023-6943), an attacker could potentially disclose, tamper with, destroy, or delete information, or cause a denial-of-service (DoS) condition on the products [1][2].

Mitigation

Mitsubishi Electric has released updated versions for most of the affected products; users should consult the vendor's information for the specific fixed version for each product [1]. As of the publication date (2024-01-30), MX OPC Server DA/UA (packaged with MC Works64) remains without a fixed version [1]. Users are advised to apply the available updates or contact Mitsubishi Electric for remediation guidance. This vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [2].

References
  1. JVNVU#95103362: 三菱電機製FAエンジニアリングソフトウェア製品における複数の脆弱性
  2. Mitsubishi Electric FA Engineering Software Products (Update D) | CISA

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

17

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.