CVE-2022-25158 - Vulnerability Details

Description

Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext.

Published: 2022-04-01

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

No analysis available yet.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU; Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU; Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU; Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU; Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU; Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU; Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU; itsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4); Mitsubishi Electric MELSEC iQ-R series RJ71EN71; Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2; Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX; Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2; Mitsubishi Electric MELSEC Q series Q03UDECPU; Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU; Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU; Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU; Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4); Mitsubishi Electric MELSEC Q series QJ71E71-100; Mitsubishi Electric MELSEC L series L02/06/26CPU(-P); Mitsubishi Electric MELSEC L series L26CPU-(P)BT; Mitsubishi Electric MELSEC L series LJ71C24(-R2); Mitsubishi Electric MELSEC L series LJ71E71-100; Mitsubishi Electric MELSEC L series LJ72GF15-T2

affected

Version	Status	Constraints
`Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions`	affected	—
`Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions`	affected	—
`Mitsubishi Electric MELSEC Q series Q03UDECPU all versions`	affected	—
`Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions`	affected	—
`Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions`	affected	—
`Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions`	affected	—
`Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions`	affected	—
`Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions`	affected	—
`Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions`	affected	—
`Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions`	affected	—
`Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions`	affected	—
`Mitsubishi Electric MELSEC L series LJ71E71-100 all versions`	affected	—
`Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions`	affected	—

Configuration 1 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc-32mr\/ds-ts_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc-32mr\/ds-ts:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc-32mt\/d_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc-32mt\/d:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc-32mt\/dss_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc-32mt\/dss:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-24mr\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-24mr\/es:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-24mt\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-24mt\/es:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-24mt\/ess_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-24mt\/ess:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-40mr\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-40mr\/es:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-40mt\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-40mt\/es:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-40mt\/ess_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-40mt\/ess:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-60mr\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-60mr\/es:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-60mt\/es_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-60mt\/es:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj-60mt\/ess_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj-60mt\/ess:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc-32mt\/dss-ts_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc-32mt\/dss-ts:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uc-32mt\/ds-ts_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uc-32mt\/ds-ts:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND

cpe:2.3:o:mitsubishielectric:fx5uj_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:mitsubishielectric:fx5uj:-:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No remediation available yet.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2022-29901	Cleartext Storage of Sensitive Information vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU all versions, Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU all versions, Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4) all versions, Mitsubishi Electric MELSEC iQ-R series RJ71EN71 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GF11-T2 all versions, Mitsubishi Electric MELSEC iQ-R series RJ71GP21(S)-SX all versions, Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2 all versions, Mitsubishi Electric MELSEC Q series Q03UDECPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU all versions, Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU all versions, Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4) all versions, Mitsubishi Electric MELSEC Q series QJ71E71-100 all versions, Mitsubishi Electric MELSEC L series L02/06/26CPU(-P) all versions, Mitsubishi Electric MELSEC L series L26CPU-(P)BT all versions, Mitsubishi Electric MELSEC L series LJ71C24(-R2) all versions, Mitsubishi Electric MELSEC L series LJ71E71-100 all versions and Mitsubishi Electric MELSEC L series LJ72GF15-T2 all versions allows a remote attacker to disclose or tamper with a file in which password hash is saved in cleartext.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00323.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://jvn.jp/vu/JVNVU96577897/index.html
https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf

History

No history.

Subscriptions

Mitsubishielectric Fx5uc Fx5uc-32mr\/ds-ts Fx5uc-32mr\/ds-ts Firmware Fx5uc-32mt\/d Fx5uc-32mt\/d Firmware Fx5uc-32mt\/ds-ts Fx5uc-32mt\/ds-ts Firmware Fx5uc-32mt\/dss Fx5uc-32mt\/dss-ts Fx5uc-32mt\/dss-ts Firmware Fx5uc-32mt\/dss Firmware Fx5uc Firmware Fx5uj Fx5uj-24mr\/es Fx5uj-24mr\/es Firmware Fx5uj-24mt\/es Fx5uj-24mt\/es Firmware Fx5uj-24mt\/ess Fx5uj-24mt\/ess Firmware Fx5uj-40mr\/es Fx5uj-40mr\/es Firmware Fx5uj-40mt\/es Fx5uj-40mt\/es Firmware Fx5uj-40mt\/ess Fx5uj-40mt\/ess Firmware Fx5uj-60mr\/es Fx5uj-60mr\/es Firmware Fx5uj-60mt\/es Fx5uj-60mt\/es Firmware Fx5uj-60mt\/ess Fx5uj-60mt\/ess Firmware Fx5uj Firmware

MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published: 2022-04-01T22:18:01.000Z

Updated: 2024-08-03T04:29:01.545Z

Reserved: 2022-02-14T00:00:00.000Z

Link: CVE-2022-25158

Vulnrichment

No data.

NVD

Status : Modified

Published: 2022-04-01T23:15:14.340

Modified: 2024-11-21T06:51:42.977

Link: CVE-2022-25158

Redhat

No data.

OpenCVE Enrichment

No data.

Weaknesses

CWE-312

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object