Mitsubishi Electric EtherNet/IP Configuration Tools are software utilities used by engineers in Operational Technology (OT) environments to configure and manage Industrial Control System (ICS) components, specifically the MELSEC iQ-R and iQ-F series modules. These modules are critical for industrial process automation in manufacturing, energy, and other critical infrastructure sectors.
The primary risk of CVE-2023-2062 is the exposure of sensitive credentials over the network. An unauthenticated attacker who has already gained a foothold on the OT network can passively intercept FTP passwords transmitted in cleartext by the vulnerable configuration software. This allows the attacker to bypass authentication mechanisms and gain direct unauthorized access to the industrial modules.
Although there is no evidence of active exploitation in real-world environments, a public proof-of-concept exploit is available, increasing the likelihood of future attacks. The vulnerability affects systems where network traffic can be monitored, making environments with flat, unsegmented networks or compromised engineering workstations particularly vulnerable. A successful exploit could lead to the theft of sensitive configuration files, the uploading of malicious logic, or the complete sabotage of physical industrial processes.
| Product | Mitsubishi Electric EtherNet/IP Configuration Tool |
| Date | 2025-12-05 00:12:52 |
Technical Summary
The root cause of this vulnerability is CWE-319: Cleartext Transmission of Sensitive Information. The affected EtherNet/IP configuration tools, SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD, transmit FTP credentials to MELSEC modules without any form of encryption.
The attack sequence is as follows:
- An operator uses the vulnerable configuration tool to connect to a MELSEC iQ-R or iQ-F series EtherNet/IP module.
- During the connection phase, the tool authenticates with the module’s FTP service.
- The FTP password is sent in a cleartext field within the network packet.
- An attacker positioned on the same local network segment can use a sniffing tool (e.g., Wireshark) to capture this traffic and extract the password.
- With the obtained password, the attacker can then authenticate independently to the module’s FTP server, gaining unauthorized read and write access to the device’s file system.
The following conceptual example illustrates the insecure data flow:
// Vulnerable Logic (Conceptual)
func connectToModule(ip, user, password) {
// The password is sent over a non-encrypted channel (FTP)
ftp_connection = ftp.connect(ip, user, password)
return ftp_connection
}
An attacker can exploit this access to download, modify, or upload device configurations, potentially altering the physical process managed by the controller. All versions of the affected software are considered vulnerable; users should update to the latest version provided by the manufacturer.
Recommendations
Apply the patch immediately: Update all instances of SW1DNN-EIPCT-BD and SW1DNN-EIPCTFX5-BD to the latest versions available from Mitsubishi Electric.
Mitigations:
- Implement strict network segmentation to isolate industrial control systems from corporate (IT) networks. Apply the principle of least privilege, ensuring that only authorized engineering workstations can communicate with MELSEC modules.
- Use firewalls and Access Control Lists (ACLs) to restrict FTP access (typically TCP port 21) to the modules from unauthorized IP addresses.
- Minimize the use of cleartext and unencrypted protocols like FTP on the OT network.
-
Hunting and Monitoring:
- Actively monitor network traffic for any cleartext FTP authentication attempts toward MELSEC modules. Network security monitoring tools can be configured to alert on FTP
USERandPASScommands. - Check logs on the modules (if available) and on central syslog servers for FTP connections originating from unexpected or unauthorized IP addresses.
- Check for unusual volumes of file downloads or uploads from industrial modules.
- Actively monitor network traffic for any cleartext FTP authentication attempts toward MELSEC modules. Network security monitoring tools can be configured to alert on FTP
-
Incident Response:
- If a compromise is suspected, immediately isolate the affected modules from the network to prevent further lateral movement or malicious activity.
- Force a password change on all MELSEC modules after verifying that the configuration tool has been updated.
- Perform an integrity check of device configurations by comparing them against the last known good backup.
-
Defense in Depth:
- Maintain a complete and up-to-date inventory of all OT assets and their network accessibility.
- Ensure that regular and validated backups of configurations for all ICS devices are available for recovery purposes.
[Callforaction-THREAT-Footer]
