CVE-2023-4699 Overview
CVE-2023-4699 is a Missing Authentication for Critical Function vulnerability affecting a wide range of Mitsubishi Electric industrial control systems, including MELSEC-F Series CPU modules, MELSEC iQ-F Series, MELSEC iQ-R series CPU modules, MELSEC iQ-L series, MELSEC Q series, MELSEC-L series, and multiple CNC controller series (M800V/M80V, M800/M80/E80, and M700V/M70V/E70). This vulnerability allows a remote unauthenticated attacker to execute arbitrary commands by sending specially crafted packets to the affected products.
The impact of successful exploitation is severe. Attackers can disclose or tamper with sensitive information by reading or writing control programs, potentially causing operational disruption in manufacturing environments. Additionally, attackers can cause a denial-of-service (DoS) condition by resetting device memory contents to factory settings or performing remote device resets.
Critical Impact
Remote unauthenticated attackers can execute arbitrary commands, read/write control programs, disclose sensitive information, tamper with industrial processes, or cause denial of service by resetting affected PLCs and CNC controllers to factory defaults.
Affected Products
- Mitsubishi Electric MELSEC-F Series CPU modules (FX3U, FX3UC, FX3G, FX3GC, FX3GE, FX3GA, FX3S, FX3SA variants)
- Mitsubishi Electric MELSEC iQ-F Series (FX5U, FX5UC, FX5UJ, FX5S variants)
- Mitsubishi Electric CNC M800V/M80V, M800/M80/E80, and M700V/M70V/E70 series
Discovery Timeline
- November 6, 2023 - CVE CVE-2023-4699 published to NVD
- March 17, 2025 - Last updated in NVD database
Technical Details for CVE-2023-4699
Vulnerability Analysis
This vulnerability stems from a fundamental authentication bypass issue classified under CWE-306 (Missing Authentication for Critical Function) and CWE-345 (Insufficient Verification of Data Authenticity). The affected Mitsubishi Electric PLC and CNC systems fail to properly authenticate remote requests before executing critical functions, allowing unauthenticated network-based attackers to interact with sensitive device operations.
The vulnerability is particularly dangerous in industrial control system (ICS) environments where these devices manage critical manufacturing processes. Successful exploitation requires no user interaction and can be achieved remotely over the network, making it highly accessible to attackers who can reach the vulnerable devices.
Root Cause
The root cause of CVE-2023-4699 is the absence of proper authentication mechanisms for critical device functions. The affected Mitsubishi Electric controllers accept and process commands from remote sources without verifying the identity or authorization of the requester. This design flaw means that any network-accessible attacker can send malicious packets to the device and have them executed with full privileges.
The secondary weakness (CWE-345) indicates that the devices also fail to adequately verify the authenticity of incoming data, compounding the authentication bypass issue. Together, these weaknesses create a scenario where attackers can fully control device behavior without any credentials.
Attack Vector
The attack is network-based and can be executed remotely without authentication or user interaction. An attacker with network access to the vulnerable PLC or CNC controller can send specifically crafted packets to exploit this vulnerability.
The exploitation flow typically involves:
- Network reconnaissance to identify exposed Mitsubishi Electric MELSEC or CNC devices
- Crafting malicious packets targeting the unauthenticated command interface
- Sending packets to read control programs (information disclosure)
- Optionally modifying control programs (integrity compromise)
- Executing device reset commands to cause denial of service
Given the nature of ICS/SCADA environments, successful exploitation could affect physical manufacturing processes, potentially causing production downtime, equipment damage, or safety hazards. The vulnerability enables attackers to reset device memory to factory settings, effectively wiping all configured programs and settings.
Detection Methods for CVE-2023-4699
Indicators of Compromise
- Unexpected network connections to MELSEC or CNC controller communication ports from external or unauthorized IP addresses
- Unusual command sequences or protocol messages being sent to affected PLCs
- Unexpected changes to control programs or device configurations
- Devices unexpectedly resetting to factory defaults or entering error states
Detection Strategies
- Deploy network intrusion detection systems (IDS) with ICS-specific rulesets to identify anomalous traffic to Mitsubishi Electric devices
- Implement deep packet inspection on OT network segments to detect unauthorized command attempts
- Monitor for changes in PLC program checksums or configurations that were not authorized through change management processes
- Establish baseline communication patterns for MELSEC devices and alert on deviations
Monitoring Recommendations
- Segment ICS/SCADA networks from corporate IT networks and monitor traffic crossing network boundaries
- Implement continuous monitoring of PLC communication ports using industrial protocol-aware tools
- Enable logging on network devices and firewalls to capture connection attempts to affected controllers
- Conduct regular integrity checks on PLC programs to detect unauthorized modifications
How to Mitigate CVE-2023-4699
Immediate Actions Required
- Isolate affected Mitsubishi Electric devices from untrusted networks immediately using firewalls and network segmentation
- Restrict network access to affected PLCs and CNC controllers to only authorized engineering workstations
- Implement allowlisting of IP addresses permitted to communicate with vulnerable devices
- Review network architectures to ensure OT systems are not directly accessible from the internet or corporate networks
Patch Information
Mitsubishi Electric has released a security advisory addressing this vulnerability. Organizations should consult the Mitsubishi Electric PSIRT Vulnerability Report for specific firmware update guidance and patching instructions for affected product families. Additionally, CISA ICS Advisory ICSA-23-306-03 provides supplementary mitigation guidance for critical infrastructure operators.
Given the extensive list of affected products across multiple MELSEC series and CNC controller families, organizations should inventory all Mitsubishi Electric devices in their environment and prioritize patching based on network exposure and criticality.
Workarounds
- Implement strict network segmentation to isolate PLCs and CNC controllers on dedicated OT networks with controlled access points
- Deploy application-layer firewalls capable of inspecting industrial protocols to filter unauthorized commands
- Use VPN connections with strong authentication for any remote access to OT environments
- Disable unnecessary network services on affected devices where possible
# Example firewall rule to restrict PLC access (adapt to your environment)
# Allow only authorized engineering workstations to access MELSEC devices
iptables -A INPUT -s 192.168.100.0/24 -d 192.168.200.0/24 -p tcp --dport 5007 -j ACCEPT
iptables -A INPUT -d 192.168.200.0/24 -p tcp --dport 5007 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
