Cyber Resilience

CVE-2023-1424

Critical

Published: 24 May 2023

Published
24 May 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0318 87.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-1424 is a critical-severity Classic Buffer Overflow (CWE-120) vulnerability in Mitsubishielectric Melsec Iq-Fx5U-32Mr\/Ds Firmware. Its CVSS base score is 10.0 (Critical).

Operationally, ranked in the top 12.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-1424 is a classic buffer overflow vulnerability (CWE-120) affecting Mitsubishi Electric MELSEC iQ-F Series and MELSEC iQ-R Series CPU modules. The flaw permits a remote attacker to send specially crafted packets that trigger memory corruption, leading to either a denial-of-service condition or arbitrary code execution on the target device. Recovery from a DoS state requires a manual system reset of the affected module.

An unauthenticated attacker with network access can exploit the issue without user interaction or credentials, achieving either persistent disruption or full control over the PLC. The vulnerability carries a CVSS 3.1 base score of 10.0, reflecting its network-exposable nature and the high impact on confidentiality, integrity, and availability within an industrial control system context.

Vendor and government advisories, including Mitsubishi Electric’s security bulletin 2023-003 and CISA ICSA-23-143-03, provide mitigation guidance and are available at the referenced URLs. The EPSS score rose from a low baseline to a peak of 0.0500 on 2025-01-22 before receding to its current value of 0.0276, indicating a measurable increase in observed exploitation interest well after initial disclosure.

EU & UK References

Vulnerability details

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules and MELSEC iQ-R Series CPU modules allows a remote unauthenticated attacker to cause a denial of service (DoS) condition or…

more

execute malicious code on a target product by sending specially crafted packets. A system reset of the product is required for recovery from a denial of service (DoS) condition and malicious code execution.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitsubishielectric
melsec iq-fx5u-32mr\/ds firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mr\/dss firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mr\/es firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mr\/ess firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mt\/ds firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mt\/dss firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mt\/es firmware
all versions
mitsubishielectric
melsec iq-fx5u-32mt\/ess firmware
all versions
mitsubishielectric
melsec iq-fx5u-64mr\/ds firmware
all versions
mitsubishielectric
melsec iq-fx5u-64mr\/dss firmware
all versions
+29 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-120

Platform-independent managed code eliminates the need for unchecked native buffer copies that are the root cause of classic buffer overflows.

References