Risk evaluation has identified two vulnerabilities that could allow attackers to perform unintended operations through clickjacking or disclose sensitive information from their browsers or impersonate legitimate users by abusing inappropriate HTML attributes. CVE-2022-40269 and CVE-2022-40268 have been assigned to these vulnerabilities, with a CVSS v3 base score of 6.8 and 6.1 respectively. To mitigate the risk of exploitation, Mitsubishi Electric recommends users update to the latest software versions, use a firewall or virtual private network, install antivirus software, and use the IP filter function to control access. CISA also recommends organizations minimize network exposure for all control system devices and/or systems, and use secure methods such as Virtual Private Networks for remote access. CISA provides a section for control systems security recommended practices on its website, as well as Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. No known public exploits specifically target these vulnerabilities, and they have a high attack complexity. CISA encourages users to provide feedback about this product.
This Cyber News was published on us-cert.cisa.gov. Publication date: Thu, 02 Feb 2023 17:44:03 +0000