Mitsubishi Electric’s GX Works3 is central in programming and managing their PLC (Programmable Logic Controller) equipment—critical for automation in factories and infrastructures across the world. In 2022, security researchers discovered a serious vulnerability, CVE-2022-29828, that could let hackers break into these systems easily by abusing a secret that should never have been hardcoded in the first place.
This post breaks down how this vulnerability works, how attackers can use it, and what that means for anyone running Mitsubishi PLCs. We keep the language friendly and straightforward, so even beginners paired with some familiarity with security will understand.
What is CVE-2022-29828?
CVE-2022-29828 is a vulnerability caused by the use of a hard-coded cryptographic key in all versions of Mitsubishi Electric GX Works3. Hardcoding a cryptographic key directly into a program’s code or resources means *anyone* with access to the application can retrieve this key.
Here’s why it’s bad
- The application uses this key to encrypt/decrypt sensitive project and program files.
- *If you get the key, you can decrypt confidential configurations or inject malicious payloads into projects without valid credentials.*
Official notice from Mitsubishi:
- Mitsubishi's advisory
ICS-CERT summary:
- CISA Alert - ICS Advisory ICSA-22-171-02
Technical Details: How the Weakness Happens
GX Works3 stores the cryptographic key inside its program to encrypt and decrypt project files (*.gx3 etc.). Instead of asking the user to provide a strong, unique password, the same embedded key is used for every file for everyone, everywhere.
Looking for suspicious byte arrays or string constants
If an attacker finds the key, they can decrypt files exported from the software… and they do not even have to log into the software to decrypt files.
Pseudocode Example: How an Attacker Would Abuse the Key
Suppose an attacker got ahold of an exported GX Works3 project file (project.gx3).
Read sensitive ladder logic, passwords, IPs, or write back malicious code.
The real key's value and encryption routines would need to be confirmed by reverse-engineering the actual software.
What could an attacker do?
- Steal (exfiltrate) confidential programs: Attackers could view, analyze, or copy PLC code, which often holds sensitive manufacturing logic or credential info.
- Reverse engineer security controls: By studying decrypted files, attackers can pinpoint physical process weaknesses or sensitive environments.
- Inject illegal programs: Using the key, a remote attacker could encode their own project files and send to a PLC or system, potentially sabotaging processes or endangering safety.
- Move laterally in networks: The info may help attackers compromise more systems or unlock more advanced access.
All of this—and the attacker never needs to authenticate with the PLC or even have a valid engineering account!
How Does This Attack Work Remotely?
If you get your hands on a .gx3 or exported project file, you don’t have to break into GX Works3 with a login—just use the key to decrypt.
But let’s say a company puts such files on a file share, in a Git repository, or leaks them by mistake. Or think about a supply chain where files are transferred over email between integrators/partners—an exposed cryptographic key lets *anyone with those files* crack them open.
Worse: some vulnerabilities in Mitsubishi PLCs have let unauthenticated attackers download project files via simple network requests in the past; when combined with this flaw, arbitrary remote attackers get instant access.
Can it Be Exploited Over the Internet?
- If project files are exposed or can be grabbed (for example, via another web vulnerability, or phishing employee laptops), they can be decrypted anywhere.
- If attackers get on the ICS network and use other tools to query or dump project files from a PLC, GX Works3, or an engineering station, they can break the confidentiality instantly.
Fixes & Mitigations
Mitsubishi’s advice:
Restrict both internal and remote access to engineering workstations and PLCs.
- Check for vendor updates—Mitsubishi may post patches for future versions. (*As of advisory, all versions were affected.*)
Final Thoughts
The hardest lesson from CVE-2022-29828: Never trust "secret" data that ships with commercial software, especially in critical systems like industrial controls. If the whole globe uses the same encryption key, it just takes one leak for all security to vanish.
The real world has confirmed: *Attackers and researchers alike can—and have—pulled hardcoded keys from many ICS/OT tools.* If you use GX Works3:
Monitor for any suspicious uses of project files or PLC project uploads
Hackers don’t need insider access—just one public leak, one careless upload, or an old version of the software, and they’re in.
For deeper reading
- Original Mitsubishi Advisory PDF
- NVD entry for CVE-2022-29828
- CISA ICS Advisory
Stay safe, and don’t trust factory-set secrets.
*(This post is an exclusive summary for educational and defensive security awareness. For responsible usage only.)*
Timeline
Published on: 11/25/2022 00:15:00 UTC
Last modified on: 05/31/2023 09:15:00 UTC