FA Products SecurityVulnerability Information

<Update history:March 14, 2024>
Added modules that have been fixed to “Countermeasures”.
R08/16/32/120SFCPU

<Update history:September 12, 2023>
Added modules that have been fixed to “Countermeasures”.
R08/16/32/120PCPU

<Update history:July 6, 2023>
Added modules to “Affected products”.
R00/01/02CPU, R04/08/16/32/120(EN)CPU, R08/16/32/120SFCPU, R08/16/32/120PCPU
Added modules that have been fixed to “Countermeasures”.
R00/01/02CPU, R04/08/16/32/120(EN)CP

<Update history:February 15, 2024>
- The following series have been added to the affected products.
MELSEC iQ-R Series
- The "Overview", "Affected products", "Description", and "Mitigation/Workarounds" have been revised.

<Update history:January 30, 2024>
Added C80 as a product that has been fixed to "Countermeasures".

<Update history:December 5, 2023>
Added products that have been fixed to "Countermeasures". Remote Service Gateway Unit

<Update history:November 21, 2023>
Added products that have been fixed to "Countermeasures".
M800VW, M800VS, M80V, M80VW, M750VW, M730VW/M720VW, M750VS, M730VS/M720VS, M70V, E70

<Update history:October 31, 2023>
Corrected Product and System Number of “Affected products”.
Corrected System Number of M730VS
Deleted M750VS 15-type and M730VS/M720VS 15-type
Added products that have been fixed to "Countermeasures".
M800W, M800S, M80, M80W, E80

<Update history:August 3, 2023>
Corrected "Product" and "System Number" of “Affected products” for M730VW/M720VW and M720VS. Added M750VW, M750VS, added M730VS, M750VS 15-type and M730VS/M720VS 15-type to the list “Affected products”.

<Update history:December 19, 2023>
Added the Acknowledgement.

<Update history:March 29, 2022>
Added the information of modules that have been fixed to “Affected products” and “Countermeasures”.

<Update history:January 13, 2022>
Added modules that have been fixed to “Countermeasures”.

<Update history:May 18, 2021>
Added R 08/16/32/120 PCPU that has been fixed to “Countermeasures".R 08/16/32/120 PSFCPU has been deleted from “Affected products”.

<Update history:December 12, 2023>
- GX Works2 and GX Developer, those are not planned to be fixed, have been added to “Countermeasures”

<Update history:June 29, 2023>
The affected versions of following products have been modified in “Affected products”.
GX Works3, MX OPC UA Module Configurator-R
Countermeasure information for GX Works3 has been added to “Countermeasures”.
MX OPC UA Module Configurator-R has been added to “Countermeasures”.

<Update history:May 30, 2023>
GX Works2, GX Developer, GT Designer3 Version1 (GOT2000)
Motion Control Setting have been added to "Affected products",
"Overview" and " Impact" have been revised, overview of each vulnerability have been added to the “Description”, and fixed products have been added to “Countermeasures”.

<Update history:December 12, 2023>
Added module that has been fixed to “Countermeasures”.
R12CCPU-V

<Update history:July 13, 2023>
Added modules that have been fixed to “Countermeasures”.
R08/16/32/120SFCPU

<Update history:November 16, 2023>
Up dated the release status of the security patch for GENESIS64 TM Version 10.9 7.1

<Update history:August 3, 2023>
Updated the release status of the security patch for GENESIS64TM Version 10.97

<Update history:February 9, 2023>
Updated the release status of the security patch for GENESIS64TM Version 10.97.2, Version 10.97.1, Version 10.97

<Update history:December 27, 2022>
Updated the release status of the security patch for GENESIS64TM Version 10.97.2

<Update history:November 9, 2023>
Added modules that have been fixed to “Countermeasures”.
Q172/173DSCPU, Q170MSCPU(-S1)

<Update history:April 24, 2023>
Corrected affected and fixed versions.
R08/16/32/120SFCPU

<Update history:November 24, 2022>
Added modules that have been fixed to “Countermeasures”.
R08/16/32/120SFCPU

<Update history:July 26, 2022>
Added modules that have been fixed to “Countermeasures”.
R12CCPU-V, MI5122-VW

<Update history:May 31, 2022>
Added modules that have been fixed to “Countermeasures”.
R08/16/32/120PSFCPU, R16/32/64MTCPU

<Update history:April 26, 2022>
Added modules that have been fixed to “Countermeasures”.
Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS, MR-MQ100, Q172/173DCPU-S1, Q170MCPU

<Update history:January 27, 2022>
Added modules that have been fixed to “Countermeasures”.
Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU, L02/06/26CPU(-P), L26CPU-(P)BT Corrected product model name of “Affected products”
Q172/173DSCPU

<Update history:August 30, 2023>
Added information of Remote Code Execution vulnerability (CVE-2022-3602) due to Buffer Copy without Checking Size of Input (CWE-120). Also changed the title of this advisory.

<Update history:August 22, 2023>
Added a serial number that have been fixed to “Countermeasures”

<Update history:August 3, 2023>
Added the security patch information for GENESIS64TM Version 10.97 in “Countermeasures”

<Update history:February 9, 2023>
Updated the release date of security patches for GENESIS64TM Version 10.97, MC Works64 Version 4.04E and MC Works64 Edge-computing Edition Version 4.04E

<Update history:December 15, 2022>
Updated the release date of security patches for GENESIS64TM Version 10.97, MC Works64 Version 4.04E and MC Works64 Edge-computing Edition Version 4.04E

<Update history:September 30, 2022>
Updated the release date of security patches for GENESIS64TM Version 10.97, MC Works64 Version 4.04E and MC Works64 Edge-computing Edition Version 4.04E

<Update history:August 30, 2022>
Added the security patch information for GENESIS64TM Version 10.97.1 in “Countermeasures”

<Update history:July 27, 2023>
Added modules that have been fixed to “Countermeasures”.
Q12DCCPU-V, Q24DHCCPU-V (G), Q24/26DHCCPU-LS

<Update history:August 16, 2022>
The title has been changed due to the addition of affected products.
Added modules(R12CCPU-V, Q12DCCPU-V, Q24DHCCPU-V (G), Q24/26DHCCPU-LS, MI5122-VW) to “Affected products”.
Added modules(R12CCPU-V, Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU, MI5122-VW) that have been fixed to “Countermeasures”.

<Update history:June 29, 2023>
Added fixed products([1], [2], [4], [6]and [7])

<Update history:September 22, 2022>
Added fixed product as below [3] LE7-40GU-L

<Update history:May 24, 2022>
Added fixed products([1]and [4])

<Update history:August 24, 2021>
Added fixed products([1])

<Update history:May 18, 2021>
Added fixed products([1]and [4])

<Update history:February 18, 2021>
Add version information and/or fixed products([8]and [11])

<Update history:January 26, 2021>
Added information regarding countermeasures and mitigations/Workarounds for products( [1] and [5])

<Update history:September 24, 2020>
Add affected products ([8] - [11])

<Update history:June 20, 2023>
Added modules to “Affected products”.
[MELSEC iQ-R Series]
R00/01/02CPU, R04/08/16/32/120(EN)CPU, R08/16/32/120SFCPU,
R08/16/32/120PCPU, R08/16/32/120PSFCPU, RJ71EN71, R12CCPU-V
[MELSEC-Q Series]
Q03UDECPU, Q04/06/10/13/20/26/50/100UEDHCPU,
Q03/04/06/13/26UDVCPU, Q04/06/13/26UDPVCPU, QJ71E71-100
[MELSEC-L Series]
L02/06/26CPU(-P), L26CPU-(P)BT, LJ71E71-100

<Update history:April 18, 2023>
Added modules that have been fixed to “Countermeasures”.R00/01/02CPU, R04/08/16/32/120(EN)CPU

<Update history:February 28, 2023>
Removed annotation of FX5S CPU module from "Affected products" and "Countermeasures".

<Update history:January 26, 2023>
Added modules(FX5UJ, FX5UJ-A, FX5S CPU module) to “Affected products”.
Added modules(FX5UJ, FX5UJ-A, FX5S CPU module) that have been fixed to “Countermeasures”.
Modified "authorization" to "authentication" in title, "Overview" and "Description"

<Update history:April 11, 2023>
Added recommended actions for FR Configurator SW3, GT Designer2 Classic and MELSEC WinCPU Setting Utility to “Countermeasures"

<Update history:March 2, 2023>
Added Position Board utility 2 that has been fixed to “Countermeasures".

<Update history:November 17, 2022>
Added C Controller Interface Module utility and MELSOFT EM Software Development Kit that have been fixed to “Countermeasures".

<Update history:July 28, 2022>
Added MI Configurator, Setting/monitoring tools for the C Controller module (SW3PVC-CCPU) and Setting/monitoring tools for the C Controller module (SW4PVC-CCPU) that have been fixed to “Countermeasures".

<Update history:May 24, 2022>
Added FR Configurator2, M_CommDTM-IO-Link, Network Interface Board CC IE Control Utility, Network Interface Board CC IE Field Utility, Network Interface Board CC-Link Ver.2 Utility and Network Interface Board MNETH Utility that have been fixed to “Countermeasures".

<Update history:February 8, 2022>
Added CC-Link IE Control Network Data Collector, CC-Link IE Field Network Data Collector, CC-Link IE TSN Data Collector, MR Configurator2, MT Works2, MTConnect Data Collector and SLMP Data Collector that have been fixed to “Countermeasures".

<Update history:November 16, 2021>
Added MELFA-Works, RT ToolBox2 and RT ToolBox3 that have been fixed to “Countermeasures". Added CC-Link IE TSN Data Collector to “Affected Products”

<Update history:July 27, 2021>
Added GX Works2, MELSOFT Complete Clean Up Tool and MELSOFT Navigator that have been fixed to “Countermeasures".

<Update history:May 27, 2021>
Added EZSocket and PX Developer that have been fixed to “Countermeasures".

<Update history:January 14, 2021>
Added MELSOFT iQ AppPortal, MX Component and MX Sheet that have been fixed to “Countermeasures".

<Update history:November 5, 2020>
Added Data Transfer, GT Designer3 Version1(GOT1000), GT Designer3 Version1(GOT2000), GT SoftGOT1000 Version3, GT SoftGOT2000 Version1, MX MESInterface, and MX MESInterface-R that have been fixed to “Countermeasures".

<Update history:February 28 ,2023>
Removed annotation of FX5S CPU module from "Affected products" and "Countermeasures"

<Update history:May 31, 2022>
Added the information of modules that have been fixed to "Affected products" and "Countermeasures"

<Update history:January 31, 2023>
Added the fixed firmware version and update steps of RD81OPC96 to “Countermeasures”

<Update history:November 1, 2022>
Added the fixed firmware version and update steps of NZ2MHG-TSNT8F2 and NZ2MHG-TSNT4 to “Countermeasures”.

<Update history:August 30, 2022>
Added NZ2MHG-TSNT4 to “Affected products”, “Countermeasures” and “Mitigations”

<Update history:August 18, 2022>
Added NZ2MHG-TSNT8F2 and RD81OPC96 to “Affected products”, “Countermeasures” and “Mitigations”.

<Update history:November 17, 2022>
Added fixed product as below
MELSOFT EM Software Development Kit (EM Configurator)

<Update history:July 28, 2022>
Added fixed products as below
EZSocket, MI Configurator, Setting/monitoring tools for the C Controller module (SW4PVC-CCPU)Setting/monitoring tools for the C Controller module (SW3PVC-CCPU) has been removed from “Affected Products

<Update history:May 24, 2022>
Added fixed products as below
M_CommDTM-IO-Link, Network Interface Board CC IE Control Utility, Network Interface Board CC IE Field Utility,Network Interface Board CC-Link Ver.2 Utility, Network Interface Board MNETH Utility

<Update history:February 8, 2022>
Added fixed products as below
MT Works2, MX Component, SLMP Data Collector

<Update history:November 16, 2021>
Added fixed products as below
MELFA-Works, MH11 SettingTool Version2, RT ToolBox2

<Update history:July 27, 2021>
Added fixed products as below
GX Developer, MELSOFT Navigator

<Update history:May 27, 2021>
Added fixed and affected products

<Update history:October 13, 2022>
・Added modules that have been fixed to “Countermeasures”.
R08/16/32/120SFCPU
・Vulnerability Type (CWE) was changed to Cleartext transmission of sensitive information (CWE-319)

<Update history:October 13, 2021>
・Correction of clerical errors.

<Update history:October 12, 2021>
・Added CVE ID and CVSS score.
・Modified part of descriptions of “Overview”, “Description”, “Impact” and “Countermeasures”.

<Update history:October 13, 2022>
Added modules that have been fixed to “Countermeasures”.R08/16/32/120SFCPU

<Update history:October 13, 2022>
Added modules that have been fixed to “Countermeasures”.R08/16/32/120SFCPU

<Update history:September 22, 2022>
Added countermeasure for MELSEC WinCPU Setting Utility to “Countermeasures”.

<Update history:July 28, 2022>
Added MI Configurator, Setting/monitoring tools for the C Controller module (SW4PVC-CCPU) that have been fixed to “Countermeasures”.
Setting/monitoring tools for the C Controller module (SW3PVC-CCPU) has been removed from “Affected Products”

<Update history:May 24, 2022>
Added M_CommDTM-IO-Link, Network Interface Board CC IE Control Utility, Network Interface Board CC IE Field Utility, Network Interface Board CC-Link Ver.2 Utility and Network Interface Board MNETH utility that have been fixed to “Countermeasures”.

<Update history:December 17, 2020>
Added GT SoftGOT1000 Version3 that have been fixed to “Countermeasures”.

<Update history:July 28, 2022>
Added EZSocket as a fixed product.

<Update history:June 30, 2022>
Added MELSOFT Navigator as a fixed product.

<Update history:July 28, 2022>
Added MI Configurator that has been fixed to “Countermeasures"

<Update history:May 27, 2022>
Added MELSEC iQ-R Series Motion Module that has been fixed to “Countermeasures".

<Update history:January 14, 2021>
Added MELSOFT iQ AppPortal, MELSOFT Navigator, MR Configurator2 and MX Component that have been fixed to “Countermeasures".

<Update history:July 7, 2022>
・Updated the details of “Countermeasures”

<Update history:October 28, 2021>
・Modified part of descriptions of “Impact”.
・Correction of clerical errors.

<Update history:May 31, 2022>
Added MELSEC iQ-R/Q/L series to “Affected products”.
Added MELSEC iQ-R/Q/L series product manual information to “Mitigations/Workarounds”.

<Update history:May 10, 2022>
Add fixed products as below
[4] [Wireless LAN communication unit for GOT]

<Update history:March 22, 2022>
Added "[4] [Wireless LAN communication unit for GOT]" to affected products.

<Update history:April 7, 2022>
This advisory was withdrawn because these issues are not vulnerabilities.

<Update history:October 5, 2021>
Added information to “Overview”, “CVSS”, “Description” and “Countermeasures”.

<Update history:January 20, 2022>
For Tension Controller, added “Update procedure” and “Fixed Versions” to “Countermeasures”.

<Update history:January 20, 2022>
For Tension Controller, added “How to check the versions in use” to “Affected products and version”. For Tension Controller, added “Update procedure” and “Fixed Versions” to “Countermeasures”.

<Update history:May 11, 2021>
Added “How to check the versions in use” to “Affected products and version” Added “Update procedure” and “Fixed Versions” to “Countermeasures”.

<Update history:December 16, 2021>
RJ71C24 (-R2/R4) has been removed from “Affected products” as it has been found not to be affected by this vulnerability.

<Update history:September 14, 2021>
Added RJ71GN11-T2 that has been fixed to “Countermeasures"

<Update history:May 18, 2021>
Added R08/16/32/120 PCPU and R08/16/32/120PSFCPU that have been fixed to “Countermeasures".

<Update history:November 25, 2021>
Added information about information disclosure vulnerability (CVE-2021-27040) due to Out-of bounds Read (CWE-125)

<Update history:July 27, 2021>
Added “How to check the versions in use” to “Affected products”.Added “Update procedure” and “Fixed Versions” to “Countermeasures”.

<Update history:June 17, 2021>
Added MELSOFT FieldDeviceConfigurator that has been fixed to “Affected products" and “Countermeasures".

<Update history:June 14, 2021>
-Updated the URL of the web page to download the security patch.
-Fixed errors in the description of the target version of the security patch.

<Update history:January 14, 2021>
Added Security Patches for MC Works64 Version 2.00A - 2.02C.

<Update history:December 8, 2020>
Added Security Patches for MC Works64 Version 3.00A - 3.04E.

<Update history:September 9, 2020>
Added Security Patches for MC Works64 Version 4.00A - 4.02C.

<Update history:May 18, 2021>
Modified the description of “Countermeasures”.Added the IP filter function to “Mitigations”.

<Update history:May 18, 2021>
Added affected product(R08/16/32/120PSFCPU). Added R16/32/64MTCPU that has been fixed to “Countermeasures".

<Update history:February 18, 2021>
Added modules that have been fixed to “Countermeasures”.

<Update history:October 26, 2020>
Added modules that have been fixed to “Countermeasures”.

<Update history:April 20, 2021>
Modified part of descriptions of “Overview” and “Impact”.

<Update history:November 5, 2020>
Added modules that have been fixed to “Countermeasures”.