Cyber Resilience

CVE-2023-0525

High

Published: 04 August 2023

Published
04 August 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0046 64.8th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0525 is a high-severity Weak Encoding for Password (CWE-261) vulnerability in Mitsubishielectric Gt Designer3. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 35.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49.000 and prior, GOT SIMPLE Series GS25 model…

more

versions 01.49.000 and prior, GS21 model versions 01.49.000 and prior, GT Designer3 Version1 (GOT2000) versions 1.295H and prior and GT SoftGOT2000 versions 1.295H and prior allows a remote unauthenticated attacker to obtain plaintext passwords by sniffing packets containing encrypted passwords and decrypting the encrypted passwords, in the case of transferring data with GT Designer3 Version1(GOT2000) and GOT2000 Series or GOT SIMPLE Series with the Data Transfer Security function enabled, or in the case of transferring data by the SoftGOT-GOT link function with GT SoftGOT2000 and GOT2000 series with the Data Transfer Security function enabled.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitsubishielectric
gt designer3
≤ 1.300n
mitsubishielectric
gt softgot2000
≤ 1.300n
mitsubishielectric
gt27 firmware
≤ 01.50.000
mitsubishielectric
gt25 firmware
≤ 01.50.000
mitsubishielectric
gt23 firmware
≤ 01.50.000
mitsubishielectric
gt21 firmware
≤ 01.50.000
mitsubishielectric
gs25 firmware
≤ 01.50.000
mitsubishielectric
gs21 firmware
≤ 01.50.000

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-326

Maintaining currency with technologies and practices reduces selection of encryption mechanisms that provide inadequate strength.

addresses: CWE-326

Updated assessments identify when previously adequate encryption strength no longer meets current attack capabilities or compliance drivers.

addresses: CWE-326

Establishment procedures require selection and generation of keys with adequate length and strength for the chosen algorithm.

addresses: CWE-326

Specifies required cryptography types and parameters, preventing selection of inadequate encryption strength.

addresses: CWE-326

Prompt patching corrects inadequate encryption strength when vendors release updates that increase key sizes or algorithm security.

References