{"id":6052,"date":"2024-11-01T12:15:44","date_gmt":"2024-11-01T17:15:44","guid":{"rendered":"https:\/\/www.darkreading.com\/vulnerabilities-threats\/critical-auth-bugs-smart-factory-cyberattack"},"modified":"2024-11-01T12:15:44","modified_gmt":"2024-11-01T17:15:44","slug":"critical-auth-bugs-expose-smart-factory-gear-to-cyberattack","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2024\/11\/01\/critical-auth-bugs-expose-smart-factory-gear-to-cyberattack\/","title":{"rendered":"Critical Auth Bugs Expose Smart Factory Gear to Cyberattack"},"content":{"rendered":"
<\/a><\/div>\n
<\/div>\n

Critical security vulnerabilities affecting factory automation software from Mitsubishi Electric and Rockwell Automation could variously allow remote code execution (RCE), authentication bypass, product tampering, or denial-of-service (DoS).<\/span><\/p>\n

That’s according to the US Cybersecurity and Infrastructure Security Agency (CISA), which warned yesterday that an attacker could exploit the Mitsubishi Electric bug (CVE-2023-6943, CVSS score of 9.8) by calling a function with a path to a malicious library while connected to the device \u2014 resulting in authentication bypass, RCE, DoS, or data manipulation.<\/span><\/p>\n

The Rockwell Automation bug (CVE-2024-10386, CVSS 9.8), meanwhile, stems from a missing authentication check; a cyberattacker with network access could exploit it by sending crafted messages to a device, potentially resulting in database manipulation.<\/span><\/p>\n

The critical vulnerabilities are two out of several issues affecting Mitsubishi’s and Rockwell Automation’s smart-factory portfolios, all listed in CISA’s Halloween <\/span>disclosure<\/a><\/span>. Both industrial control systems (ICS) suppliers have issued mitigations for manufacturers to follow in order to avoid future compromise.<\/span><\/p>\n

The noncritical bugs include:<\/span><\/p>\n

\n