CVE-2021-20598

Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to lockout a legitimate user by continuously trying login with incorrect password.

Published: Aug 6, 2021
Updated: Apr 14, 2023
CVE: CVE-2021-20598
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Medium
Score: 5
AV:N/AC:L/Au:N/C:N/I:N/A:P

CWEs:

CWE-287

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
mitsubishielectric / r08sfcpu_firmware	-	-
mitsubishielectric / r16sfcpu_firmware	-	-
mitsubishielectric / r32sfcpu_firmware	-	-
mitsubishielectric / r120sfcpu_firmware	-	-
mitsubishielectric / r08psfcpu_firmware	-	-
mitsubishielectric / r16psfcpu_firmware	-	-
mitsubishielectric / r32psfcpu_firmware	-	-
mitsubishielectric / r120psfcpu_firmware	-	-

https://jvn.jp/vu/JVNVU98578731/index.html
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-010_en.pdf

Vulnerability Database

290,020

CVE-2021-20598