Mitsubishi Electric FREQSHIP-mini for Windows Incorrect Default Permissions Vulnerability Allowing Arbitrary Code Execution

A vulnerability allowing arbitrary code execution with system privileges has been identified in Mitsubishi Electric FREQSHIP-mini for Windows, versions 8.0.0 prior to 8.0.2. This vulnerability arises from incorrect default permissions, which allow local attackers to replace service executable files or DLLs in the installation directory with specially crafted files. Exploitation of this vulnerability could lead to unauthorized access to, modification, deletion, or destruction of information on the affected PC, or cause a denial-of-service condition.

Impact

Exploitation of this vulnerability could allow a local attacker to execute arbitrary code with system privileges, potentially leading to unauthorized access to, modification, deletion, or destruction of information on the affected system, or causing a denial-of-service condition.

Remediation

Users are advised to update to version 8.1.0 or later. For those using Windows 10, Windows 11, or Windows Server 2022, the latest version can be downloaded from the Mitsubishi Electric download site. Customers using Windows Vista, Windows 7, Windows 8, Windows 8.1, or Windows Server 2008 should note that no fixed version will be released and are recommended to follow certain mitigations, such as restricting physical access to the PC and network, blocking remote logins from untrusted sources, and installing antivirus software.