Mitsubishi Electric GOT2000 HMI Improper Input Validation Vulnerability (CVE-2021-20601)

Critical Vulnerability Information 1. Summary CVSS v3 Score: 7.5 Severity: Remotely exploitable / Low attack complexity Vendor: Mitsubishi Electric Affected Devices: GOT2000 Series, GOT SIMPLE Series, GT SoftGOT2000 Vulnerability Type: Improper Input Validation 2. Risk Assessment Successful exploitation of this vulnerability could have adverse effects on system operations. 3. Technical Details 3.1 Affected Products The Mitsubishi Electric Human-Machine Interface (HMI) products affected by this vulnerability include: GOT2000 Series - GT27 models: All versions - GT25 models: All versions - GT23 models: All versions - GT21 models: All versions GOT SIMPLE Series - GS21 models: All versions GT SoftGOT2000: All versions 3.2 Vulnerability Overview Improper Input Validation (CWE-20): The affected products contain an information tampering vulnerability. Attackers may send malicious packets to rewrite device values, leading to adverse impacts on system operations. CVE ID: CVE-2021-20601 CVSS v3 Base Score: 7.5 3.3 Background Critical Infrastructure Sector: Critical Manufacturing Deployment Countries/Regions: Worldwide Company Headquarters Location: Japan 3.4 Researchers This vulnerability was reported to Mitsubishi Electric by the COE-CNDS Lab, along with Parul Sindhawad and Dr. Faruk Kazi from VJTI. 4. Mitigation Measures Mitsubishi Electric recommends users take the following measures to minimize the risk of exploitation: Use firewalls or Virtual Private Networks (VPNs) to prevent unauthorized access. Deploy products within a local network and block access from untrusted networks and hosts. Install antivirus software on user computers that have access to the products and systems. Use IP filtering features to restrict access to specific IP addresses. For more information, contact your local Mitsubishi Electric representative or refer to the Mitsubishi Electric support website. Overall, organizations should perform appropriate impact analysis and risk assessment before implementing protective measures.

Goal Reached Thanks to every supporter — we hit 100%!

Mitsubishi Electric GOT2000 HMI Improper Input Validation Vulnerability (CVE-2021-20601)