Vulnerability Details : CVE-2022-24946
Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC iQ-R Series R12CCPU-V firmware versions "16" and prior, Mitsubishi Electric MELSEC-Q Series Q03UDECPU the first 5 digits of serial No. "24061" and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/10/13/20/26/50/100UDEHCPU the first 5 digits of serial No. "24061" and prior, Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU the first 5 digits of serial number "24051" and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/13/26UDPVCPU the first 5 digits of serial number "24051" and prior, Mitsubishi Electric MELSEC-Q Series Q12DCCPU-V all versions, Mitsubishi Electric MELSEC-Q Series Q24DHCCPU-V(G) all versions, Mitsubishi Electric MELSEC-Q Series Q24/26DHCCPU-LS all versions, Mitsubishi Electric MELSEC-L series L02/06/26CPU(-P) the first 5 digits of serial number "24051" and prior, Mitsubishi Electric MELSEC-L series L26CPU-(P)BT the first 5 digits of serial number "24051" and prior and Mitsubishi Electric MELIPC Series MI5122-VW firmware versions "05" and prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition in Ethernet communications by sending specially crafted packets. A system reset of the products is required for recovery.
Vulnerability category: Denial of service
Products affected by CVE-2022-24946
- cpe:2.3:o:mitsubishielectric:q04udvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q06udvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q13udvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q26udvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q04udpvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q06udpvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q13udpvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q26udpvcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q03udecpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q04udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q06udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q10udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q13udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q20udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q26udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q50udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q100udehcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu-bt_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu-pbt_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu-bt-cm_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q06ccpu-v_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu-\(p\)bt_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l02cpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l02cpu-p_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l02scpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l02scpu-p_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l06cpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l06cpu-p_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:l26cpu-p_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q06phcpu_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:q26dhccpu-ls_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24946
0.23%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 61 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2022-24946
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2022-24946
-
The product does not properly acquire or release a lock on a resource, leading to unexpected resource state changes and behaviors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24946
-
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-007_en.pdf
Vendor Advisory
-
https://www.cisa.gov/uscert/ics/advisories/icsa-22-172-01
-
https://jvn.jp/vu/JVNVU90895626/index.html
JVNVU#90895626: 三菱電機製MELSEC QおよびLシリーズにおける不適切なリソースロックの脆弱性Third Party Advisory
Jump to