Cyber Resilience

CVE-2023-4625

Medium

Published: 06 November 2023

Published
06 November 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
EPSS Score 0.0011 28.2th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-4625 is a medium-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Mitsubishielectric Fx5U-32Mt\/Es Firmware. Its CVSS base score is 5.3 (Medium).

Operationally, ranked at the 28.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after…

more

the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

mitsubishielectric
fx5u-32mt\/es firmware
all versions
mitsubishielectric
fx5u-64mt\/es firmware
all versions
mitsubishielectric
fx5u-80mt\/es firmware
all versions
mitsubishielectric
fx5u-32mr\/es firmware
all versions
mitsubishielectric
fx5u-64mr\/es firmware
all versions
mitsubishielectric
fx5u-80mr\/es firmware
all versions
mitsubishielectric
fx5u-32mt\/ds firmware
all versions
mitsubishielectric
fx5u-64mt\/ds firmware
all versions
mitsubishielectric
fx5u-80mt\/ds firmware
all versions
mitsubishielectric
fx5u-32mr\/ds firmware
all versions
+53 more product configuration(s) — see NVD for full list

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-307

This control directly enforces limits on consecutive invalid logon attempts and automatic response (e.g., lockout) to prevent brute-force exploitation of authentication mechanisms.

addresses: CWE-307

Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation.

References