CISA: Mitsubishi Electric PLCs impacted by several flaws

The Cybersecurity and Infrastructure Security Agency has warned that several vulnerabilities in the Mitsubishi Electric GX Works3 engineering workstation software for industrial control system environments could be exploited to enable access to certain CPU and OPC UA modules, as well as prompt program viewing and execution, according to The Hacker News. Threat actors could leverage the most severe flaws, tracked as CVE-2022-25164, and CVE-2022-29830, to facilitate CPU module access and secure project file data even without permissions, noted CISA in its ICS advisory warning. Meanwhile, the CVE-2022-29831 bug identified by Nozomi Networks could be abused to allow direct safety CPU module access and industrial process disruption. Three other vulnerabilities in Horner Automation Remote Compact Controller 972 have also been detailed by CISA. "Engineering software represents a critical component in the security chain of industrial controllers. Should any vulnerabilities arise in them, adversaries may abuse them to ultimately compromise the managed devices and, consequently, the supervised industrial process," said Nozomi Networks.