CVE-2023-2846

HIGH

Mitsubishi Electric Corporation MELSEC iQ-F Series - Auth Bypass

Title source: llm

Description

Authentication Bypass by Capture-replay vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series main modules allows a remote unauthenticated attacker to cancel the password/keyword setting and login to the affected products by sending specially crafted packets.

References (3)

[Mitigation, Third Party Advisory] https://jvn.jp/vu/JVNVU94519952

[Mitigation, Third Party Advisory, US Government Resource] https://www.cisa.gov/news-events/ics-advisories/icsa-23-180-04

[Mitigation, Vendor Advisory] https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-005_en.pdf

Scores

CVSS v3 7.5

EPSS 0.0009

EPSS Percentile 24.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Classification

CWE

CWE-294

Status published

Affected Products (50)

mitsubishielectric/fx3u-16mr\/es_firmware

mitsubishielectric/fx3u-16mt\/es_firmware

mitsubishielectric/fx3u-16mt\/ess_firmware

mitsubishielectric/fx3u-32mr\/es_firmware

mitsubishielectric/fx3u-32mt\/es_firmware

mitsubishielectric/fx3u-32mt\/ess_firmware

mitsubishielectric/fx3u-48mr\/es_firmware

mitsubishielectric/fx3u-48mt\/es_firmware

mitsubishielectric/fx3u-48mt\/ess_firmware

mitsubishielectric/fx3u-64mr\/es_firmware

mitsubishielectric/fx3u-64mt\/es_firmware

mitsubishielectric/fx3u-64mt\/ess_firmware

mitsubishielectric/fx3u-80mr\/es_firmware

mitsubishielectric/fx3u-80mt\/es_firmware

mitsubishielectric/fx3u-80mt\/ess_firmware

... and 35 more

Timeline

Published Jun 30, 2023

Tracked Since Feb 18, 2026