CVE-2022-29833 is a vulnerability classified under CWE-522 (Insufficiently Protected Credentials) affecting Mitsubishi Electric Corporation's GX Works3 software, specifically versions 1.015R and later. GX Works3 is an engineering software used for programming and configuring Mitsubishi's MELSEC series programmable logic controllers (PLCs), including safety CPU modules. The vulnerability allows a remote, unauthenticated attacker to disclose sensitive information related to credentials or authentication data. This exposure enables unauthorized access to MELSEC safety CPU modules, which are critical components in industrial control systems (ICS) responsible for ensuring safe operation of machinery and processes. The flaw arises from inadequate protection mechanisms for stored or transmitted credentials within the software, allowing attackers to bypass authentication controls remotely without user interaction. Although no known exploits have been reported in the wild, the vulnerability poses a significant risk due to the critical nature of safety CPU modules in industrial environments. The insufficient credential protection could lead to unauthorized command execution or manipulation of safety functions, potentially causing operational disruptions or safety hazards. The lack of available patches at the time of reporting further increases the risk for affected users.

For European organizations, especially those operating in manufacturing, energy, transportation, and critical infrastructure sectors, this vulnerability presents a substantial threat. Compromise of MELSEC safety CPU modules could lead to unauthorized control over safety-critical processes, risking physical damage to equipment, injury to personnel, and disruption of essential services. Given the widespread use of Mitsubishi Electric PLCs in European industrial environments, exploitation could result in operational downtime, financial losses, and reputational damage. Furthermore, unauthorized access to safety modules undermines trust in industrial automation systems and could be leveraged for sabotage or espionage. The medium severity rating reflects the balance between the lack of known active exploitation and the high potential impact on confidentiality, integrity, and availability of safety-critical systems. The vulnerability's remote and unauthenticated nature increases the attack surface, making it accessible to external threat actors without requiring insider access or user interaction.

European organizations using GX Works3 should immediately conduct an inventory to identify affected versions (1.015R and later). In the absence of official patches, implement network segmentation to isolate engineering workstations and MELSEC safety CPU modules from untrusted networks, minimizing remote attack vectors. Employ strict access controls and monitoring on systems running GX Works3, including limiting network access to trusted personnel and devices only. Use VPNs with strong authentication for remote access and enable logging to detect anomalous activities. Regularly back up PLC configurations and safety module data to enable recovery in case of compromise. Engage with Mitsubishi Electric for updates or patches and apply them promptly once available. Additionally, conduct security awareness training for operational technology (OT) staff regarding this vulnerability and best practices for credential protection. Consider deploying intrusion detection systems tailored for ICS environments to identify attempts to exploit this vulnerability.