CVE-2022-33322

high-risk
Published 2022-11-08

Cross-site scripting vulnerability in Mitsubishi Electric consumer electronics products (Air Conditioning, Wi-Fi Interface, Refrigerator, HEMS adapter, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch and Air Purifier) allows a remote unauthenticated attacker to execute an malicious script on a user's browser to disclose information, etc. The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section.

Do I need to act?

~
1.5% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
6
CVSS 6.1/10 Medium
NETWORK / LOW complexity

Affected Products (20)

Mac-587If-E Firmware
Mac-587If2-E Firmware
Mac-507If-E Firmware
Mac-588If-E Firmware
S-Mac-002If Firmware
Ma-Ew85S-E Firmware
Ma-Ew85S-Uk Firmware
Mfz-Gxt50\/60\/73Vfk Firmware
Mfz-Xt50\/60Vfk Firmware
Msxy-Fp05\/07\/10\/13\/18\/20\/24Vgk-Sg1 Firmware
Msy-Gp10\/13\/15\/18\/20\/24Vfk-Sg1 Firmware
Msz-Ap15\/20\/25\/35\/42\/50\/60\/71Vgk-E2 Firmware
Msz-Ap15\/20\/25\/35\/42\/50\/60\/71Vgk-Er2 Firmware
Msz-Ap15\/20\/25\/35\/42\/50\/60\/71Vgk-Et2 Firmware
Msz-Ap22\/25\/35\/42\/50\/60\/71\/80Vgkd-A2 Firmware
Msz-Ap22\/25\/35\/42\/50\/61\/70\/80Vgkd-A1 Firmware
Msz-Ap25\/35\/42\/50\/60\/71Vgk-E3 Firmware
Msz-Ap25\/35\/42\/50\/60\/71Vgk-Er3 Firmware
Msz-Ap25\/35\/42\/50\/60\/71Vgk-Et3 Firmware
Msz-Ap25\/35\/42\/50Vgk-E1 Firmware

Affected Vendors

Mitsubishielectric

References (6)

Third Party Advisory https://jvn.jp/vu/JVNVU96767562/index.html
Mitigation https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2022-011.pdf
Mitigation https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-011_en.pdf
Third Party Advisory https://jvn.jp/vu/JVNVU96767562/index.html
Mitigation https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2022-011.pdf
Mitigation https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-011_en.pdf
58
/ 100
high-risk
Severity 23/34 · High
Exploitability 4/34 · Minimal
Exposure 31/34 · Critical