CVE-2022-40267 Information

Description

Predictable Seed in Pseudo-Random Number Generator (PRNG) vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=326480 y=TR z=ESDSESSDSS) with serial number 17X or later and versions 1.280 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-xMy/z (x=326480 y=TR z=ESDSESSDSS) with serial number 179 and prior and versions 1.074 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=326496 y=T z=DDSS)) with serial number 17X or later and versions 1.280 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-xMy/z (x=326496 y=T z=DDSS)) with serial number 179 and prior and versions 1.074 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DS-TS versions 1.280 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MT/DSS-TS versions 1.280 and prior Mitsubishi Electric Corporation MELSEC iQ-F Series FX5UC-32MR/DS-TS versions 1.280 and prior Mitsubishi Electric Corporation MELSEC iQ-R Series R00/01/02CPU all versions Mitsubishi Electric Corporation MELSEC iQ-R Series R04/08/16/32/120(EN)CPU all versions allows a remote unauthenticated attacker to access the Web server function by guessing the random numbers used for authentication from several used random numbers.

Reference

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-019_en.pdf https://www.cisa.gov/uscert/ics/advisories/icsa-23-017-02 https://jvn.jp/vu/JVNVU99673580/index.html