### Vulnerability Key Information #### Vulnerability ID - **JVNVD#94620134** #### Vulnerability Description - **Summary**: Multiple FA products provided by Mitsubishi Electric Corporation are affected by various vulnerabilities. - **Affected Systems**: The range of affected products is extensive; specific product series, models, and versions should be referenced from the vendor’s provided information. #### Specific Vulnerability Details 1. **Arbitrary Command Execution Vulnerability (CVE-2023-4699)** - **Vulnerability Type**: Insufficient authentication for critical functions in proprietary protocol communication (CWE-306) - **CVSS Score**: 10.0 - **Impact**: A remote third party can cause the product to execute arbitrary commands via specific packets, leading to read/write operations on control programs, information theft or tampering, memory content reset, and denial-of-service (DoS) conditions. 2. **Improper Restriction of Excessive Authentication Attempts in Web Server Function (CVE-2023-4625)** - **Vulnerability Type**: Improper restriction of excessive authentication attempts in CPU unit’s web server function (CWE-307) - **CVSS Score**: 5.3 - **Impact**: A remote third party can perform continuous invalid login attempts, potentially blocking legitimate users from logging in for a certain period, thereby disrupting the web server function’s login capability. #### Mitigation Measures - **Workarounds**: Implementing mitigation measures may reduce the impact of the vulnerabilities. - Isolate the product appropriately within the network and enforce access controls. - Use firewalls or VPNs to prevent unauthorized access. - Restrict physical LAN access using hardware parameters. - Configure device parameters to limit operations at conservative screen levels. #### Reference Information - **ICS Advisory** 1. ICSA-23-306-03 2. ICSA-23-306-02 #### Additional Information - **JPCERT/CC**: Provides vulnerability analysis results and emergency reports. #### Update History - **2023/11/06**: Added ICS Advisory links. - **2024/02/15**: Updated affected systems and mitigation measures. - **2024/11/12**: Updated title, summary, affected systems, and other information.