GX Works3 is the configuration and programming software provided by Mitsubishi Electric for its MELSEC iQ-F and iQ-R programmable logic controllers (PLCs).
Mitsubishi Electric PLC vulnerability Nozomi researchers identified three security holes — tracked as CVE-2022-29831, CVE-2022-29832 and CVE-2022-29833 — that could allow an attacker to obtain information from GX Works3 project files to compromise connected safety CPU modules.
The project files for these modules are encrypted and a user-configured username and password are required to open them. However, Nozomi discovered hardcoded password, cleartext storage, and insufficient credential protection issues that expose these credentials and other sensitive information.