PatchSiren cyber security CVE debrief
CVE-2024-26314 Mitsubishi Electric CVE debrief
A local privilege escalation vulnerability affects 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a system with affected software installed, a local attacker can gain Windows system privileges and execute arbitrary commands. The vulnerability requires local access, high attack complexity, and user interaction, resulting in a CVSS 3.1 score of 4.4 (Medium). CISA published the initial advisory on May 14, 2024, with the most recent update (Update E) on January 15, 2026, adding version information to affected product and mitigation sections. No known exploitation in ransomware campaigns has been reported.
- Vendor
- Mitsubishi Electric
- Product
- CPU Module Logging Configuration Tool
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2026-01-15
- Advisory published
- 2024-05-14
- Advisory updated
- 2026-01-15
Who should care
OT security teams, ICS engineers, manufacturing security personnel, and organizations using Mitsubishi Electric automation software in production environments. Priority for environments with shared engineering workstations or insufficient endpoint protection on HMI/programming devices.
Technical summary
The vulnerability exists in multiple Mitsubishi Electric FA engineering software products where improper privilege management allows local attackers to escalate to Windows system privileges. Attack requires: (1) local access to the system, (2) execution of malicious code, (3) low privileges, and (4) user interaction. The attack complexity is high. Successful exploitation grants integrity impact (arbitrary command execution) but no confidentiality or availability impact per CVSS 3.1 scoring. The vulnerability affects 37 products including major engineering suites (GX Works2/3, GT Designer3, MX Component) and specialized configuration tools.
Defensive priority
medium
Recommended defensive actions
- Inventory all Mitsubishi Electric FA engineering software installations across OT and engineering workstation environments
- Verify installed versions against affected version thresholds in CISA advisory ICSA-24-135-04
- Apply vendor-provided updates: CPU Module Logging Configuration Tool to 1.160S+, CW Configurator to 1.020W+, Data Transfer to 3.59M+, FR Configurator2 to 1.33K+, GT SoftGOT1000 to 3.315D+, GT SoftGOT2000 to 1.320J+, GX 1
- LogViewer to 1.160S+, GX Works2 to 1.625B+, GX Works3 to 1.110Q+, MR Configurator2 to 1.155M+
- For products requiring purchase contact (CSGL, EZSocket), coordinate with Mitsubishi Electric representatives for update assistance
- For end-of-life products without patches (FR Configurator SW3, GX Developer, MI Configurator, MR Configurator, MX OPC Server DA/UA), implement compensating controls: restrict local access, application whitelisting, and 2
- network segmentation
- Apply defense-in-depth strategies per CISA ICS recommended practices: minimize network exposure, place control system networks behind firewalls, use VPNs for remote access, and monitor for anomalous behavior
Evidence notes
Source: CISA CSAF advisory ICSA-24-135-04 (Update E, published 2026-01-15). CVSS 3.1 vector: AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N. Affected products span engineering workstations including GX Works2, GX Works3, GT Designer3, MX Component, and 33 additional Mitsubishi Electric software packages.
Official resources
-
CVE-2024-26314 CVE record
CVE.org
-
CVE-2024-26314 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14