The latest ICS advisory from the United States Cybersecurity and Infrastructure Security Agency outlines a serious collection of security weaknesses affecting engineering software developed by Mitsubishi Electric. The advisory confirms that these Mitsubishi Electric vulnerabilities affect tools used to configure, manage, and support MELSEC PLC platforms across global industrial environments. The flaws make it possible for remote attackers to gain unauthorized access to controllers, retrieve sensitive engineering data, and compromise workstations used throughout manufacturing, energy, automation, and other operational technology sectors.
This advisory expands on the long running ICSA-22-333-05 report. It provides updated information about widespread product exposure across GX Works3, GX Works2, GX Developer, MX OPC UA Module Configurator-R, GT Designer3 Version1 (GOT2000), Motion Control Setting, and MT Works2. These engineering suites support MELSEC iQ-R, iQ-F, and L series controllers. They are embedded deeply within industrial automation systems worldwide. The vulnerabilities include cleartext storage of sensitive information, hard-coded authentication credentials, insecure cryptographic keys, and weak credential protection. Together they create substantial risk for organizations that rely on these tools for industrial operations.
Background on the ICS Advisory
CISA issued this advisory after researchers from Positive Technologies and Nozomi Networks identified several weaknesses within Mitsubishi Electric software. The flaws allow attackers to read configuration files, extract CPU module data, view or execute PLC programs, and bypass critical authentication controls. Many of the weaknesses align with high risk CWE categories that frequently appear in industrial control system software, including CWE-312, CWE-259, CWE-522, CWE-321, and CWE-316.
Mitsubishi Electric products are widely deployed in operational technology environments, which makes them attractive targets for threat actors. The affected tools interact directly with PLCs responsible for controlling machinery, safety equipment, robotics, and building automation systems. Many engineering workstations are connected to internal networks that lack strict segmentation. When vulnerabilities go unpatched, attackers gain a larger attack surface to exploit inside these industrial environments.
Risk Evaluation for Industrial Operators
CISA warns that exploitation of these Mitsubishi Electric vulnerabilities allows unauthorized users to access MELSEC CPU modules and the MELSEC OPC UA server module. Attackers could execute or read PLC programs, modify configurations, extract sensitive project files, or access information about safety CPU modules. This creates a serious operational threat because PLC project data contains logic, safety functions, and control parameters used across physical equipment and industrial workflows.
The advisory also confirms extensive risk to engineering workstations. Cleartext passwords, embedded keys, and hard-coded authentication data allow attackers to compromise both the engineering environment and the controller. If these weaknesses are abused, adversaries can alter configuration files, bypass security checks, or insert harmful instructions into PLC projects. This can lead to significant downtime, equipment malfunction, and disruption across entire production lines.
Affected Mitsubishi Electric Products
The advisory lists extensive affected versions across multiple software families. The following branches contain versions vulnerable to the documented flaws:
- GX Works3: Versions 1.000A to 1.011M, 1.015R to 1.087R, 1.090U, 1.095Z, and 1.096A and later
- MX OPC UA Module Configurator-R: Versions 1.08J and prior
- GX Works2: All versions
- GX Developer: Versions 8.40S and later
- GT Designer3 Version1 (GOT2000): Versions 1.122C to 1.290C
- Motion Control Setting: Versions 1.000A to 1.065T
- MT Works2: Versions 1.100E to 1.200J
These engineering tools support large industrial ecosystems in manufacturing, transportation, energy distribution, packaging, and automation. Because the software interfaces directly with PLC controllers, vulnerabilities that expose authentication pathways or project data pose a direct operational risk.
Detailed Breakdown of the Vulnerabilities
The advisory contains multiple CVEs involving insecure credential storage, embedded authentication data, and unsafe cryptographic practices. The following categories summarize the core weaknesses that allow attackers to compromise engineering environments and PLC projects.
Cleartext Storage of Sensitive Information
GX Works3, GX Works2, GX Developer, MX OPC UA Module Configurator-R, and Motion Control Setting store sensitive data in cleartext. This includes passwords, project logic, and internal metadata. Attackers who obtain this data can map network structures, analyze safety logic, or understand proprietary automation processes across the Q, FX, and L series PLC families.
Use of Hard-coded Passwords
Several Mitsubishi Electric products contain static passwords embedded within the software. These credentials allow unauthorized users to bypass authentication entirely. Once exposed, attackers can access project files, execute PLC programs, or read sensitive configurations. Hard-coded passwords significantly weaken ICS security because many operators are unaware of their presence.
Insecure Cryptographic Keys
The advisory confirms multiple instances of insecure and static cryptographic keys within GX Works3, GT Designer3, Motion Control Setting, and MT Works2. Attackers can extract or reuse these keys to decrypt project files or manipulate PLC settings. Weak cryptographic implementations remain one of the most common and dangerous issues within industrial environments.
Insufficiently Protected Credentials
GX Works3 versions 1.015R and later contain weak credential protection that allows remote, unauthenticated access to MELSEC safety CPU modules. Poor credential handling exposes safety systems that are responsible for critical operational decisions inside industrial facilities.
Cleartext Storage of Sensitive Information in Memory
Several of the affected tools store sensitive information in cleartext memory structures during runtime. Attackers who access a compromised workstation or extract a memory dump can obtain CPU project files or sensitive parameters used to manage controllers.
Why These Issues Matter for Industrial Operators
Mitsubishi Electric controllers form the backbone of automation in manufacturing plants, robotics systems, building management infrastructure, pharmaceutical production, packaging lines, and energy management. Attackers who exploit these vulnerabilities could collect detailed operational intelligence, manipulate physical equipment, disrupt safety logic, or compromise production workflows. Many organizations rely on long-lived ICS deployments where patching is slow or heavily restricted. As a result, exposed engineering workstations become long term targets for adversaries who want to infiltrate industrial supply chains.
Over the past several years attackers have targeted integrators, automation vendors, and operators by abusing weaknesses in engineering software. These vulnerabilities increase the opportunity for supply chain compromise and operational disruption if they remain unpatched.
Mitigation Steps and Recommendations
Mitsubishi Electric has released updated versions of the affected software suites and published guidance for organizations unable to perform immediate updates. Operators should apply the latest versions of GX Works3, MX OPC UA Module Configurator-R, GT Designer3 Version1, Motion Control Setting, and MT Works2. Users should also enable all recommended security features, including secure mode settings and updated security key configurations.
CISA advises operators to segment networks, restrict lateral movement between business and operational technology, and eliminate unnecessary exposure to industrial devices. Remote access should only be permitted through secure, updated VPN configurations. Engineering machines should be monitored for suspicious behavior and restricted from accessing untrusted content.
Organizations should also audit their environment for exposed project files, insecure archives, and password data. It is recommended to perform regular scans with tools such as Malwarebytes to detect unwanted software on engineering workstations. File integrity monitoring and strict firewall rules can further reduce the risk of unauthorized PLC manipulation.
Long Term Operational Implications
The Mitsubishi Electric vulnerabilities highlight persistent challenges in ICS cybersecurity. Many engineering tools were not built with modern security expectations, which creates an ongoing burden for operators today. Cleartext credentials, embedded authentication, and static cryptographic keys continue to appear across industrial platforms. These issues require immediate remediation to protect production systems from targeted attacks.
Industrial organizations should prioritize the security of engineering workstations. These systems remain one of the most valuable targets for threat actors seeking to enter operational networks. Regular updates, strong access control, and continuous monitoring are essential to maintaining safe and reliable operations across environments that rely on Mitsubishi Electric software.
For additional coverage of ICS advisories, threat activity, and related incident reporting, visit our cybersecurity section. Readers tracking incidents that include exposed operational data or compromised systems can also review updates in our data breaches category.
