CVE-2023-4625

moderate-risk

Published 2023-11-06

Improper Restriction of Excessive Authentication Attempts vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F/iQ-R Series CPU modules Web server function allows a remote unauthenticated attacker to prevent legitimate users from logging into the Web server function for a certain period after the attacker has attempted to log in illegally by continuously attempting unauthorized login to the Web server function. The impact of this vulnerability will persist while the attacker continues to attempt unauthorized login.

Do I need to act?

0.11% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (20)

Fx5U-32Mt\/Es Firmware

Fx5U-64Mt\/Es Firmware

Fx5U-80Mt\/Es Firmware

Fx5U-32Mr\/Es Firmware

Fx5U-64Mr\/Es Firmware

Fx5U-80Mr\/Es Firmware

Fx5U-32Mt\/Ds Firmware

Fx5U-64Mt\/Ds Firmware

Fx5U-80Mt\/Ds Firmware

Fx5U-32Mr\/Ds Firmware

Fx5U-64Mr\/Ds Firmware

Fx5U-80Mr\/Ds Firmware

Fx5U-32Mt\/Ess Firmware

Fx5U-64Mt\/Ess Firmware

Fx5U-80Mt\/Ess Firmware

Fx5U-32Mt\/Dss Firmware

Fx5U-64Mt\/Dss Firmware

Fx5U-80Mt\/Dss Firmware

Fx5Uc-32Mt\/D Firmware

Fx5Uc-64Mt\/D Firmware

Affected Vendors

Mitsubishielectric

References (6)

Third Party Advisory https://jvn.jp/vu/JVNVU94620134

Third Party Advisory https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf

Third Party Advisory https://jvn.jp/vu/JVNVU94620134

Third Party Advisory https://www.cisa.gov/news-events/ics-advisories/icsa-23-306-02

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-014_en.pdf

/ 100

moderate-risk

Severity 21/34 · High

Exploitability 0/34 · Minimal

Exposure 27/34 · High