CVE-2023-1424
Published: 24 May 2023
Summary
CVE-2023-1424 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Mitsubishielectric Melsec Iq-Fx5U-32Mr\/Ds Firmware. Its CVSS base score is 10.0 (Critical).
Operationally, ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-1424 is a classic buffer overflow vulnerability (CWE-120) affecting Mitsubishi Electric MELSEC iQ-F Series and MELSEC iQ-R Series CPU modules. The flaw permits a remote attacker to send specially crafted packets that trigger memory corruption, leading to either a denial-of-service condition or arbitrary code execution on the target device. Recovery from a DoS state requires a manual system reset of the affected module.
An unauthenticated attacker with network access can exploit the issue without user interaction or credentials, achieving either persistent disruption or full control over the PLC. The vulnerability carries a CVSS 3.1 base score of 10.0, reflecting its network-exposable nature and the high impact on confidentiality, integrity, and availability within an industrial control system context.
Vendor and government advisories, including Mitsubishi Electric’s security bulletin 2023-003 and CISA ICSA-23-143-03, provide mitigation guidance and are available at the referenced URLs. The EPSS score rose from a low baseline to a peak of 0.0500 on 2025-01-22 before receding to its current value of 0.0276, indicating a measurable increase in observed exploitation interest well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-23677
Vulnerability details
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or…
more
execute malicious code on a target product by sending specially crafted packets. A system reset of the product is required for recovery from a denial of service (DoS) condition and malicious code execution.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.