CVE-2022-29827 - How a Hard-coded Key in Mitsubishi Electric GX Works3 Exposes Critical Data

Summary:
A serious vulnerability (CVE-2022-29827) in Mitsubishi Electric’s GX Works3 (all versions) lets attackers with no login exploit hard-coded cryptographic keys. If you’re in industrial automation or control engineering, this bug means your project files, programs, and valuable data might be exposed. Here’s a deep-dive into how the flaw works, how it can be abused, and what you need to know to defend your systems.

What is GX Works3?

GX Works3 is Mitsubishi Electric’s integrated engineering software to program, configure, and maintain their popular PLCs (Programmable Logic Controllers). These are found in factories, energy plants, infrastructures—basically, the backbone of global automation.

The Root Problem: Hard-coded Keys

In software security, using a “hard-coded cryptographic key” means a password or encryption key is built right into the code. If someone uncovers it, they can instantly decrypt sensitive information. In GX Works3, these hard-coded keys protect important configuration files, device settings, and actual PLC programs.

But if attackers get the key (which is possible, since it's the same across all installations), they can decrypt whatever GX Works3 protects.

Exploit Details: What’s Really at Stake?

Vulnerability ID: CVE-2022-29827
Vendor advisory: Mitsubishi Security Advisory

Let’s Get Technical: How is the Key Used?

GX Works3 stores user project files (like .gx3 extensions) encrypted using a cryptographic key.

A simplified code snip showing how the insecure pattern looks

// Pseudo-code: How hard-coded keys are used (simplification)
const char *ENCRYPTION_KEY = "FixedSecretKey123"; // This key is present in app binary!!

// To decrypt a project file
std::string decrypt_project(const std::string &enc_data)
{
    //... setup
    AES_set_decrypt_key(ENCRYPTION_KEY, ...);
    //... decrypt function here
}

What’s wrong?
Everyone’s application uses the same key. Once a researcher or attacker finds it (by reverse engineering the program), any encrypted project file is now readable.

Extract a sample project file (MyPlantProject.gx3).

4. Write a decryption tool using the found key. Here’s a simplified Python pseudo-code for demonstration:

from Crypto.Cipher import AES

ENCRYPTION_KEY = b"FixedSecretKey123" # Example found in binary
with open("MyPlantProject.gx3", "rb") as f:
    encrypted = f.read()

cipher = AES.new(ENCRYPTION_KEY, AES.MODE_ECB)
plain = cipher.decrypt(encrypted)
with open("decrypted_project.txt", "wb") as f:
    f.write(plain)

Result:
Now you have the entire project in plaintext. No password needed. All logic, connections, and secrets are visible.

Real-world Impact

This attack requires no authentication and no access to a running PLC, only files or network traffic. If attackers get a copy of your GX Works3 projects (via phishing, malware, or misconfigured shares), they can:

Mitigations and Fix

- Mitsubishi’s advice: See official mitigation steps.

References

- National Vulnerability Database: CVE-2022-29827
- Mitsubishi Electric Official Advisory (PDF)

Conclusion

CVE-2022-29827 is a strong reminder: hard-coded keys break security. If you use GX Works3 or share project files, treat all data as potentially exposed until you lock down file access and update your tools.

We hope this deep-dive helps you understand the risk and patch your practices.

Timeline

Published on: 11/25/2022 00:15:00 UTC
Last modified on: 05/31/2023 09:15:00 UTC