PT-2021-12: Authentication pypass by capture-replay in FX5U(C) CPU and FX5UJ CPU modules FX5U(C) CPU and FX5UJ CPU modules Severity level Severity level: Medium Impact: Authentication pypass by capture-replay in FX5U(C) CPU and FX5UJ CPU modules Access Vector: Remote CVSS v3.0 Base Score: 5,9 Vector: (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) CVE-2022-25159 Vulnerability description:The vulnerability of the FX5U(C) CPU and FX5UJ CPU modules of Mitsubishi Electric FA products is associated with the possibility of bypass authorization using capture-replay of intercepted parameters. Exploitation of the vulnerability may allow an attacker who has intercepted the parameters of the security key mechanism transmitted in the MELSOFT protocol in open form to authorize the PLC firmware. Advisory status 15.12.2021 - Vendor gets vulnerability details 31.03.2022 - Security advisory publication date (https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf ) Credits The vulnerability was detected by Anton Dorfman (Positive Technologies)