cbcvebase.
CVE-2023-3346
published 2023-08-03

CVE-2023-3346: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in MITSUBSHI CNC Series allows a remote unauthenticated attacker to cause…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.67%
73.9th percentile
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in MITSUBSHI CNC Series allows a remote unauthenticated attacker to cause Denial of Service (DoS) condition and execute arbitrary code on the product by sending specially crafted packets. In addition, system reset is required for recovery.

Affected

20 ranges
VendorProductVersion rangeFixed in
mitsubishi_electric_corporationmitsubishi_cnc_c80_series_c80
mitsubishi_electric_corporationmitsubishi_cnc_e70_series_e70
mitsubishi_electric_corporationmitsubishi_cnc_e80_series_e80
mitsubishi_electric_corporationmitsubishi_cnc_iot_unit_data_acquisition_unit
mitsubishi_electric_corporationmitsubishi_cnc_iot_unit_remote_service_gateway_unit
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m720vs
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m720vw
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m730vs
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m730vw
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m750vs
mitsubishi_electric_corporationmitsubishi_cnc_m700v_series_m750vw
mitsubishi_electric_corporationmitsubishi_cnc_m70v_series_m70v
mitsubishi_electric_corporationmitsubishi_cnc_m800_series_m800s
mitsubishi_electric_corporationmitsubishi_cnc_m800_series_m800w
mitsubishi_electric_corporationmitsubishi_cnc_m800v_series_m800vs
mitsubishi_electric_corporationmitsubishi_cnc_m800v_series_m800vw
mitsubishi_electric_corporationmitsubishi_cnc_m80_series_m80
mitsubishi_electric_corporationmitsubishi_cnc_m80_series_m80w
mitsubishi_electric_corporationmitsubishi_cnc_m80v_series_m80v
mitsubishi_electric_corporationmitsubishi_cnc_m80v_series_m80vw

Detection & IOCsextracted from sources · hover to see the quote

  • Trigger condition: remote unauthenticated attacker sends specially crafted packets to cause buffer overflow (CWE-120) on Mitsubishi Electric CNC Series devices, enabling DoS and arbitrary code execution
  • No authentication required and low attack complexity — network-facing CNC devices should be monitored for unexpected or malformed inbound packet traffic
  • No known public exploits exist as of advisory publication; monitor for novel exploit attempts targeting Mitsubishi CNC network services
  • ·Data Acquisition Unit (BND-2041W002-**) has NO fixed version available — all versions remain affected
  • ·Exploitation requires a system reset for recovery — standard service restart is insufficient for remediation after a successful attack
  • ·Attack vector is network (AV:N), no privileges required (PR:N), no user interaction (UI:N) — CVSS v3 base score 9.8; all network-exposed CNC devices should be treated as critical risk
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.