CVE-2021-20587
CVE-2021-20587 is a high-severity vulnerability in Mitsubishielectric C Controller Module Setting And Monitoring Tool with a CVSS 3.x base score of 7.5. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-122.
Key facts
- Severity: High (CVSS 3.x base score 7.5)
- CVSS v2: 7.5
- EPSS exploit prediction: 4% (88th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-122
- Affected product: Mitsubishielectric C Controller Module Setting And Monitoring Tool
- Published:
- Last modified:
Description
Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Engineering Software (CPU Module Logging Configuration Tool versions 1.112R and prior, CW Configurator versions 1.011M and prior, Data Transfer versions 3.44W and prior, EZSocket versions 5.4 and prior, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 versions 1.24A and prior, GT Designer3 Version1(GOT1000) versions 1.250L and prior, GT Designer3 Version1(GOT2000) versions 1.250L and prior, GT SoftGOT1000 Version3 versions 3.245F and prior, GT SoftGOT2000 Version1 versions 1.250L and prior, GX Configurator-DP versions 7.14Q and prior, GX Configurator-QP all versions, GX Developer versions 8.506C and prior, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer versions 1.115U and prior, GX RemoteService-I all versions, GX Works2 versions 1.597X and prior, GX Works3 versions 1.070Y and prior, iQ Monozukuri ANDON (Data Transfer) versions 1.003D and prior, iQ Monozukuri Process Remote Monitoring (Data Transfer) versions 1.002C and prior, M_CommDTM-HART all versions, M_CommDTM-IO-Link versions 1.03D and prior, MELFA-Works versions 4.4 and prior, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) versions 1.015R and prior, MELSOFT Navigator versions 2.74C and prior, MH11 SettingTool Version2 versions 2.004E and prior, MI Configurator versions 1.004E and prior, MT Works2 versions 1.167Z and prior, MX Component versions 5.001B and prior, Network Interface Board CC IE Control utility versions 1.29F and prior, Network Interface Board CC IE Field Utility versions 1.16S and prior, Network Interface Board CC-Link Ver.2 Utility versions 1.23Z and prior, Network Interface Board MNETH utility versions 34L and prior, PX Developer versions 1.53F and prior, RT ToolBox2 versions 3.73B and prior, RT ToolBox3 versions 1.82L and prior, Setting/monitoring tools for the C Controller module (SW4PVC-CCPU) versions 4.12N and prior, and SLMP Data Collector versions 1.04E and prior) allows a remote unauthenticated attacker to cause a DoS condition on the software products, and possibly to execute a malicious code on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.
Frequently asked questions
- What is CVE-2021-20587?
- Heap-based buffer overflow vulnerability in Mitsubishi Electric FA Engineering Software (CPU Module Logging Configuration Tool versions 1.112R and prior, CW Configurator versions 1.011M and prior, Data Transfer versions 3.44W and prior, EZSocket versions 5.4 and prior, FR Configurator all versions, FR Configurator SW3 all versions, FR Configurator2 versions 1.24A and prior, GT Designer3 Version1(GOT1000) versions 1.250L and prior, GT Designer3 Version1(GOT2000) versions 1.250L and prior, GT SoftGOT1000 Version3 versions 3.245F and prior, GT SoftGOT2000 Version1 versions 1.250L and prior, GX Configurator-DP versions 7.14Q and prior, GX Configurator-QP all versions, GX Developer versions 8.506C and prior, GX Explorer all versions, GX IEC Developer all versions, GX LogViewer versions 1.115U and prior, GX RemoteService-I all versions, GX Works2 versions 1.597X and prior, GX Works3 versions 1.070Y and prior, iQ Monozukuri ANDON (Data Transfer) versions 1.003D and prior, iQ Monozukuri Process Remote Monitoring (Data Transfer) versions 1.002C and prior, M_CommDTM-HART all versions, M_CommDTM-IO-Link versions 1.03D and prior, MELFA-Works versions 4.4 and prior, MELSEC WinCPU Setting Utility all versions, MELSOFT EM Software Development Kit (EM Configurator) versions 1.015R and prior, MELSOFT Navigator versions 2.74C and prior, MH11 SettingTool Version2 versions 2.004E and prior, MI Configurator versions 1.004E and prior, MT Works2 versions 1.167Z and prior, MX Component versions 5.001B and prior, Network Interface Board CC IE Control utility versions 1.29F and prior, Network Interface Board CC IE Field Utility versions 1.16S and prior, Network Interface Board CC-Link Ver.2 Utility versions 1.23Z and prior, Network Interface Board MNETH utility versions 34L and prior, PX Developer versions 1.53F and prior, RT ToolBox2 versions 3.73B and prior, RT ToolBox3 versions 1.82L and prior, Setting/monitoring tools for the C Controller module (SW4PVC-CCPU) versions 4.12N and prior, and SLMP Data Collector versions 1.04E and prior) allows a remote unauthenticated attacker to cause a DoS condition on the software products, and possibly to execute a malicious code on the personal computer running the software products although it has not been reproduced, by spoofing MELSEC, GOT or FREQROL and returning crafted reply packets.
- How severe is CVE-2021-20587?
- CVE-2021-20587 has a CVSS 3.x base score of 7.5, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is none, integrity none, and availability high.
- Is CVE-2021-20587 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 4% (88th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2021-20587?
- CVE-2021-20587 primarily affects Mitsubishielectric C Controller Module Setting And Monitoring Tool. In total, 41 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2021-20587?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2021-20587 published?
- CVE-2021-20587 was published on 2021-02-19 and last updated on 2026-06-17.
References
- https://jvn.jp/vu/JVNVU92330101
- https://www.cisa.gov/news-events/ics-advisories/icsa-21-049-02
- https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2020-021_en.pdf
- https://jvn.jp/vu/JVNVU92330101/index.html
- https://us-cert.cisa.gov/ics/advisories/icsa-21-049-02
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-021_en.pdf
Affected products (41)
- cpe:2.3:a:mitsubishielectric:c_controller_module_setting_and_monitoring_tool:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:cpu_module_logging_configuration_tool:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:cw_configurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:data_transfer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:ezsocket:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:fr_configurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:fr_configurator_sw3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:fr_configurator2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gt_designer3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gt_softgot1000:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gt_softgot2000:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_configurator-dp:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_configurator-qp:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_developer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_explorer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_iec_developer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_logviewer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_remoteservice-i:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_works2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:iq_monozukuri_andon:-:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:iq_monozukuri_process_remote_monitoring:-:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:m_commdtm-hart:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:m_commdtm-io-link:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melfa-works:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melsec_wincpu_setting_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melsoft_em_software_development_kit:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:melsoft_navigator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:mh11_settingtool_version2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:mi_configurator:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:mt_works2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:mx_component:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:network_interface_board_cc-link:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:network_interface_board_cc_ie_control_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:network_interface_board_cc_ie_field_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:network_interface_board_mneth_utility:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:px_developer:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:rt_toolbox2:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:rt_toolbox3:*:*:*:*:*:*:*:*
- cpe:2.3:a:mitsubishielectric:setting\/monitoring_tools_for_the_c_controller_module:*:*:*:*:*:*:*:*
More vulnerabilities in Mitsubishielectric C Controller Module Setting And Monitoring Tool
- CVE-2020-14521 — High (CVSS 8.3): Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution…
- CVE-2021-20588 — High (CVSS 7.5): Improper Handling of Length Parameter Inconsistency vulnerability in Mitsubishi Electric FA Engineering Software (CPU…
All CVEs affecting Mitsubishielectric C Controller Module Setting And Monitoring Tool →
Other CWE-122 (Heap-based Buffer Overflow) vulnerabilities
- CVE-2026-46752 — Critical (CVSS 10.0): Redis Lua HEAP overflow in cjson library vulnerability in Apache Kvrocks. This issue affects Apache Kvrocks: from…
- CVE-2026-24822 — Critical (CVSS 10.0): Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is…
- CVE-2025-23123 — Critical (CVSS 10.0): A malicious actor with access to the management network could execute a remote code execution (RCE) by exploiting a…
- CVE-2022-34819 — Critical (CVSS 10.0): A vulnerability has been identified in SIMATIC CP 1242-7 V2 (All versions < V3.3.46), SIMATIC CP 1243-1 (All versions <…
- CVE-2026-44050 — Critical (CVSS 9.9): A heap-based buffer overflow in the CNID daemon comm_rcv() function in Netatalk 2.0.0 through 4.4.2 allows a remote…
- CVE-2026-49841 — Critical (CVSS 9.8): FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to…
Browse all CWE-122 (Heap-based Buffer Overflow) vulnerabilities →