cbcvebase.
CVE-2022-40267
published 2023-01-20

CVE-2022-40267: Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R…

PriorityP259critical9.1CVSS 3.1
AVNACLPRNUINSUCHIHAN
EPSS
1.18%
63.9th percentile
Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=32,64,80, y=T,R, z=ES,DS,ESS,DSS) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 17X**** or later, and versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=32,64,96, y=T, z=D,DSS)) with serial number 179**** and prior, and versions 1.074 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/z (x=24,40,60, y=T,R, z=ES,ESS) versions 1.042 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UJ-xMy/ES-A (x=24,40,60, y=T,R) versions 1.043 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5S-xMy/z (x=30,40,60,80, y=T,R, z=ES,ESS) versions 1.003 and prior, Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU versions 33 and prior, Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU versions 66 and prior allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers.

Affected

122 ranges· showing 25
VendorProductVersion rangeFixed in
gitpython_projectgitpython>= 0 < 3.1.323.1.32
mitsubishi_electric_corporationmelsec_iq-f_seres_fx5u-80mt_es
mitsubishi_electric_corporationmelsec_iq-f_seres_fx5u-80mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-30mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-30mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-30mt_ess
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-40mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-40mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-40mt_ess
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-60mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-60mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-60mt_ess
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-80mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-80mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5s-80mt_ess
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mr_ds
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mr_ds
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mr_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_ds
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_ds
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_dss
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_dss
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_es
mitsubishi_electric_corporationmelsec_iq-f_series_fx5u-32mt_es

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability targets the WEB server function on affected Mitsubishi Electric MELSEC iQ-F and iQ-R Series PLCs; monitor for repeated or anomalous HTTP authentication attempts against these devices, which may indicate an attacker brute-forcing/guessing PRNG-derived session tokens.
  • The attack is network-based, requires no authentication, and has high attack complexity (CVSS AV:N/AC:H/PR:N/UI:N). Detection should focus on unauthenticated remote access attempts to the PLC web server, particularly from external/untrusted hosts.
  • Flag any access to the MELSEC iQ-F/iQ-R web server function originating from untrusted networks or hosts not whitelisted via the IP filter function, as exploitation requires network reachability to the device.
  • ·No known public exploits specifically target this vulnerability at time of advisory publication; exploitation requires high attack complexity (predicting PRNG seed from observed random numbers).
  • ·The iQ-R Series products (R00/01/02CPU and R04/08/16/32/120(EN)CPU) were added in Update B of the advisory; earlier detection rules or asset inventories based on the original advisory may not include these devices.

CVSS provenance

nvdv3.19.1CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
ghsa9.8CRITICAL
vendor_redhat8.1HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.