Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ptsecurityPositive TechnologiesPT-2021-12
HistoryDec 15, 2021 - 12:00 a.m.

PT-2021-12: Authentication pypass by capture-replay in FX5U(C) CPU and FX5UJ CPU modules

2021-12-1500:00:00
Positive Technologies
www.ptsecurity.com
10

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

74.4%

JSON

PT-2021-12: Authentication pypass by capture-replay in FX5U© CPU and FX5UJ CPU modules

FX5U© CPU and FX5UJ CPU modules

Severity level

Severity level: Medium
Impact: Authentication pypass by capture-replay in FX5U© CPU and FX5UJ CPU modules
Access Vector: Remote

CVSS v3.0
Base Score: 5,9
Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVE-2022-25159

Vulnerability description:

The vulnerability of the FX5U© CPU and FX5UJ CPU modules of Mitsubishi Electric FA products is associated with the possibility of bypass authorization using capture-replay of intercepted parameters. Exploitation of the vulnerability may allow an attacker who has intercepted the parameters of the security key mechanism transmitted in the MELSOFT protocol in open form to authorize the PLC firmware.

Advisory status

15.12.2021 - Vendor gets vulnerability details
31.03.2022 - Security advisory publication date (https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf )

Credits

The vulnerability was detected by Anton Dorfman (Positive Technologies)

Related

cvelist 1
nvd 1
prion 1
cve 1
nessus 1
ics 1
cvelist
cvelist
CVE-2022-25159
2022-04-01 22:18:00
nvd
nvd
CVE-2022-25159
2022-04-01 23:15:14
prion
prion
Authentication flaw
2022-04-01 23:15:00
cve
cve
CVE-2022-25159
2022-04-01 23:15:14
nessus
nessus
Mitsubishi Electric FA Products Authentication Bypass By Capture-Replay (CVE-2022-25159)
2022-04-28 00:00:00
ics
ics
Mitsubishi Electric FA Products (Update A)
2022-06-01 12:00:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

0.004 Low

EPSS

Percentile

74.4%

JSON
Related for PT-2021-12
cvelist1nvd1prion1cve1nessus1ics1