CVE-2023-4088

Summary

Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation multiple FA engineering software products allows a malicious local attacker to execute a malicious code, resulting in information disclosure, tampering with and deletion, or a denial-of-service (DoS) condition, if the product is installed in a folder other than the default installation folder.

Affected Software

VendorProductVersion RangeStatus
Mitsubishi Electric CorporationGX Works3all versionsaffected
Mitsubishi Electric CorporationAL-PCS/WIN-Eall versionsaffected
Mitsubishi Electric CorporationCPU Module Logging Configuration Toolall versionsaffected
Mitsubishi Electric CorporationEZSocketall versionsaffected
Mitsubishi Electric CorporationFR Configurator2all versionsaffected
Mitsubishi Electric CorporationFX Configurator-ENall versionsaffected
Mitsubishi Electric CorporationFX Configurator-EN-Lall versionsaffected
Mitsubishi Electric CorporationFX Configurator-FPall versionsaffected
Mitsubishi Electric CorporationGT Designer3 Version1(GOT1000)all versionsaffected
Mitsubishi Electric CorporationGT Designer3 Version1(GOT2000)all versionsaffected
Mitsubishi Electric CorporationGT SoftGOT1000 Version3all versionsaffected
Mitsubishi Electric CorporationGT SoftGOT2000 Version1all versionsaffected
Mitsubishi Electric CorporationGX LogViewerall versionsaffected
Mitsubishi Electric CorporationGX Works2all versionsaffected
Mitsubishi Electric CorporationMELSOFT FieldDeviceConfiguratorall versionsaffected
Mitsubishi Electric CorporationMELSOFT iQ AppPortalall versionsaffected
Mitsubishi Electric CorporationMELSOFT MaiLaball versionsaffected
Mitsubishi Electric CorporationMELSOFT Navigatorall versionsaffected
Mitsubishi Electric CorporationMELSOFT Update Managerall versionsaffected
Mitsubishi Electric CorporationMX Componentall versionsaffected
Mitsubishi Electric CorporationMX Sheetall versionsaffected
Mitsubishi Electric CorporationPX Developerall versionsaffected
Mitsubishi Electric CorporationRT ToolBox3all versionsaffected
Mitsubishi Electric CorporationRT VisualBoxall versionsaffected
Mitsubishi Electric CorporationData Transferall versionsaffected
Mitsubishi Electric CorporationData Transfer Classicall versionsaffected

Weaknesses

  • CWE-276: CWE-276 Incorrect Default Permissions

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References