CVE-2023-1618

HIGH

Mitsubishi Electric MELSEC WS Series - Auth Bypass

Title source: llm

Description

Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 Serial number 2310 **** and prior allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module's configuration or rewrite the firmware.

References (3)

[Third Party Advisory] https://jvn.jp/vu/JVNVU96063959

[Mitigation, Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-23-138-02

[Vendor Advisory] https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-002_en.pdf

Scores

CVSS v3 7.5

EPSS 0.0017

EPSS Percentile 38.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-489 CWE-1188

Status published

Products (1)

mitsubishielectric/melsec_ws0-geth00200_firmware

Published May 19, 2023

Tracked Since Feb 18, 2026