cbcvebase.
CVE-2023-1618
published 2023-05-19

CVE-2023-1618: Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 Serial number 2310 **** and prior allows a remote…

PriorityP258high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EPSS
1.13%
62.4th percentile
Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 Serial number 2310 **** and prior allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module's configuration or rewrite the firmware.

Affected

6 ranges
VendorProductVersion rangeFixed in
linuxlinux_kernel>= 5.11.0 < 5.15.1115.15.111
linuxlinux_kernel>= 5.16.0 < 6.1.286.1.28
linuxlinux_kernel>= 5.6.0 < 5.10.1805.10.180
linuxlinux_kernel>= 6.2.0 < 6.2.156.2.15
linuxlinux_kernel>= 6.3.0 < 6.3.26.3.2
mitsubishi_electric_corporationmelsec_ws_series_ws0-geth00200

Detection & IOCsextracted from sources · hover to see the quote

porttelnet (TCP/23)
commandtelnet <IP of affected product>
  • Monitor for unauthenticated inbound Telnet (TCP/23) connections to MELSEC WS0-GETH00200 devices, especially with no password supplied (empty password at prompt).
  • Alert on any Telnet session established to WS0-GETH00200 modules with serial numbers 2310**** and prior, as the hidden Telnet service is enabled by default on these units.
  • Flag Telnet traffic originating from external/untrusted networks destined for OT/ICS segments hosting MELSEC WS Series ethernet interface modules.
  • Detect post-authentication Telnet commands that could indicate firmware rewrite or configuration tampering on the affected module.
  • ·The Telnet service is a hidden function enabled by default at factory shipment on serial numbers 2310**** and prior; patched units are serial numbers 2311**** and later.
  • ·The Telnet password on vulnerable units defaults to empty (no password), allowing unauthenticated access; the password can be set to up to 15 characters as a workaround.
  • ·Exploitation requires only network reachability with no authentication and low attack complexity (CVSS v3 AV:N/AC:L/PR:N/UI:N).
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.