What is the severity of CVE-2023-4699?

CVE-2023-4699 has a severity rating of CRITICAL with a CVSS base score of 10.

CVE-2023-4699 | Critical Vulnerability in Mitsubishi Electric Products

Q: What is CVE-2023-4699?

A critical vulnerability in Mitsubishi Electric's CPU modules allows remote unauthenticated attackers to execute arbitrary commands. Immediate patching is highly recommended to mitigate risks.

CVE-2023-4699 is a critical vulnerability affecting multiple Mitsubishi Electric Corporation's MELSEC series CPU modules. This vulnerability allows remote unauthenticated attackers to execute arbitrary commands by sending specially crafted packets to the affected products. The severity of this vulnerability is underscored by its CVSS score of 10, indicating a critical risk level.

The implications of this vulnerability are significant, as attackers may leverage it to read or write control programs, thereby disclosing or tampering with critical information. Additionally, it poses a risk of denial-of-service (DoS) conditions, which could reset the memory contents of the devices to factory settings or cause them to reset remotely.

Organizations using affected Mitsubishi Electric products should prioritize patching immediately to prevent exploitation. The urgency for defenders is critical due to the high potential for operational disruption and data compromise.

The vulnerability was published on November 6, 2023, and is classified under CWE-306 (Missing Authentication for Critical Function) and CWE-345 (Insufficient Verification of Data Authenticity).

Vulnerability Details

The official description of this vulnerability states that it arises from missing authentication for critical functions in various Mitsubishi Electric products, including the MELSEC-F Series CPU modules and other related series. The vulnerability's attack vector is network-based, with low complexity and no privileges or user interaction required for exploitation.

The vulnerability is categorized as critical due to its potential impacts, including high confidentiality, integrity, and availability impacts. The CVSS vector is as follows: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H.

Affected products include the MELSEC iQ-F Series, MELSEC iQ-R Series CPU modules, and several Mitsubishi Electric CNC series, among others.

Technical Analysis

The root cause of CVE-2023-4699 stems from a failure to implement proper authentication mechanisms for critical functions in the affected products. Attackers can exploit this vulnerability over the network, with low complexity, as no authentication or user interaction is needed.

The vulnerability allows attackers to potentially gain control over the devices, leading to unauthorized access to sensitive configurations and operational controls. The overall impact includes potential data breaches, integrity violations, and service disruptions.

Risk & Impact Analysis

The real-world risk associated with CVE-2023-4699 is considerable, particularly for organizations relying on Mitsubishi Electric's automation products. The blast radius could extend to any facility utilizing these devices, which could lead to extensive operational downtime and loss of critical data.

The urgency of addressing this vulnerability is underscored by its critical CVSS score and the potential for immediate exploitation. Organizations should assess their exposure and prioritize remediation efforts within their security operations.

Signal	Status
Known Exploit	Yes
Public PoC	Yes
Actively Exploited	No
Ransomware Use	No

Affected Versions

Affected versions include multiple firmware iterations for the FX3 Series, FX5 Series, and others. As of now, all versions prior to the vendor's patch remain vulnerable.

Mitigation & Remediation

Organizations should prioritize applying the latest firmware updates provided by Mitsubishi Electric to mitigate this vulnerability. In addition to patching, implementing network segmentation and monitoring can help reduce exposure to potential attacks.

For more information on how to secure your systems, consider reviewing our guide on application security assessments and continuous monitoring strategies.

Detection Guidance

To detect potential exploitation of this vulnerability, organizations should monitor logs for unusual access patterns and unexpected resets of devices. Implementing behavioral anomaly detection can help identify attacks in real-time.

AppSecure Threat Intelligence Insight

The long-term significance of CVE-2023-4699 is critical, representing a broader trend of vulnerabilities in industrial control systems and their increasing exposure to cyber threats. Security teams should take lessons from this incident to enhance their security posture, focusing on robust authentication mechanisms and regular security assessments.

For further insights into threat intelligence and risk management, refer to our articles on vulnerability management programs, penetration testing methodologies, and best practices in security testing to strengthen defenses against similar vulnerabilities.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2025-65418	CVE-2025-65418: High Vulnerability in docuFORM Managed Print Service Client	HIGH	Path Traversal	May 11, 2026
CVE-2025-65417	CVE-2025-65417: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	XSS	May 11, 2026
CVE-2025-65416	CVE-2025-65416: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Unrestricted File Upload	May 11, 2026
CVE-2025-65415	CVE-2025-65415: Medium Vulnerability in docuFORM Managed Print Service Client	MEDIUM	Session Fixation	May 11, 2026
CVE-2025-61314	CVE-2025-61314: High Vulnerability in GmbH Mecury Managed Print Services	HIGH	XSS	May 11, 2026

CVE-2023-4699: Critical Vulnerability in Mitsubishi Electric Products