CVE-2020-14521 | Mitsubishi Electric Factory Automation Engineering Products Unquoted Search Path or Element

Multiple Mitsubishi Electric Factory Automation engineering software products have a malicious code execution vulnerability. A malicious attacker could use this vulnerability to obtain information, modify information, and cause a denial-of-service condition.

Published: 2022-02-11 Last update: 2026-06-16 Assigner: [email protected] Source: [email protected]
NVD Status:ModifiedCVE State: published
View at NVD, CVE.org, EUVD

CVE-2020-14521 is rated Moderate Risk (56.4/100): CVSS High severity, with medium exploitation likelihood (EPSS 1.22%). Review affected assets and schedule remediation.

Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.

Exploit prediction scoring system (EPSS) score for CVE-2020-14521

EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).

# Date Old EPSS score New EPSS score Delta (New - Old)
1 2026-06-15 0.58% 1.22% +0.63%
2 2026-04-29 0.31% 0.58% +0.28%
3 2026-04-18 0.31%

Full EPSS history (18 records total)

Common vulnerability scoring system (CVSS) metrics for CVE-2020-14521

CVSS metrics for this CVE.

Base score Version Severity Vector Exploitability Impact Score source
8.3 3.1 HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:R)
A real person has to do something—click, install, enable—otherwise it doesn’t land.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 1.6 6.0 [email protected]
9.8 3.1 CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:H)
Serious risk that confidential data gets exposed in a big way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:H)
Could take the service down hard or make it unusable for people who depend on it.
 3.9 5.9 [email protected]
7.5 2.0 HIGH
AV:N/AC:L/Au:N/C:P/I:P/A:P Click to expand
Access vector (AV:N)
Can be exploited remotely over network reachability.
Access complexity (AC:L)
Exploitation conditions are straightforward and predictable.
Authentication (AU:N)
No authentication is required.
Confidentiality impact (C:P)
Partial confidentiality impact.
Integrity impact (I:P)
Partial integrity impact.
Availability impact (A:P)
Partial availability impact.
 10.0 6.4 [email protected]

Weakness enumeration for CVE-2020-14521

Affected software / configurations for CVE-2020-14521

Vendor Product Version Raw CPE
mitsubishielectric c_controller_interface_module_utility cpe:2.3:a:mitsubishielectric:c_controller_interface_module_utility:*:*:*:*:*:*:*:*
mitsubishielectric c_controller_module_setting_and_monitoring_tool cpe:2.3:a:mitsubishielectric:c_controller_module_setting_and_monitoring_tool:*:*:*:*:*:*:*:*
mitsubishielectric cc-link_ie_control_network_data_collector 1.00a cpe:2.3:a:mitsubishielectric:cc-link_ie_control_network_data_collector:1.00a:*:*:*:*:*:*:*
mitsubishielectric cc-link_ie_field_network_data_collector 1.00a cpe:2.3:a:mitsubishielectric:cc-link_ie_field_network_data_collector:1.00a:*:*:*:*:*:*:*
mitsubishielectric cc-link_ie_tsn_data_collector 1.00a cpe:2.3:a:mitsubishielectric:cc-link_ie_tsn_data_collector:1.00a:*:*:*:*:*:*:*
mitsubishielectric cpu_module_logging_configuration_tool <= 1.100e cpe:2.3:a:mitsubishielectric:cpu_module_logging_configuration_tool:*:*:*:*:*:*:*:*
mitsubishielectric cw_configurator <= 1.010l cpe:2.3:a:mitsubishielectric:cw_configurator:*:*:*:*:*:*:*:*
mitsubishielectric data_transfer <= 3.42u cpe:2.3:a:mitsubishielectric:data_transfer:*:*:*:*:*:*:*:*
mitsubishielectric ezsocket <= 5.1 cpe:2.3:a:mitsubishielectric:ezsocket:*:*:*:*:*:*:*:*
mitsubishielectric fr_configurator_sw3 cpe:2.3:a:mitsubishielectric:fr_configurator_sw3:*:*:*:*:*:*:*:*
mitsubishielectric fr_configurator2 cpe:2.3:a:mitsubishielectric:fr_configurator2:*:*:*:*:*:*:*:*
mitsubishielectric gt_designer2_classic cpe:2.3:a:mitsubishielectric:gt_designer2_classic:*:*:*:*:*:*:*:*
mitsubishielectric gt_softgot1000 >= 3.0, <= 3.200j cpe:2.3:a:mitsubishielectric:gt_softgot1000:*:*:*:*:*:*:*:*
mitsubishielectric gt_softgot2000 >= 1.0, <= 1.241b cpe:2.3:a:mitsubishielectric:gt_softgot2000:*:*:*:*:*:*:*:*
mitsubishielectric gx_developer <= 8.504a cpe:2.3:a:mitsubishielectric:gx_developer:*:*:*:*:*:*:*:*
mitsubishielectric gx_logviewer <= 1.100e cpe:2.3:a:mitsubishielectric:gx_logviewer:*:*:*:*:*:*:*:*
mitsubishielectric gx_works2 <= 1.601b cpe:2.3:a:mitsubishielectric:gx_works2:*:*:*:*:*:*:*:*
mitsubishielectric gx_works3 <= 1.063r cpe:2.3:a:mitsubishielectric:gx_works3:*:*:*:*:*:*:*:*
mitsubishielectric m_commdtm-io-link cpe:2.3:a:mitsubishielectric:m_commdtm-io-link:*:*:*:*:*:*:*:*
mitsubishielectric melfa-works <= 4.4 cpe:2.3:a:mitsubishielectric:melfa-works:*:*:*:*:*:*:*:*
mitsubishielectric melsec_wincpu_setting_utility cpe:2.3:a:mitsubishielectric:melsec_wincpu_setting_utility:*:*:*:*:*:*:*:*
mitsubishielectric melsoft_complete_clean_up_tool <= 1.06g cpe:2.3:a:mitsubishielectric:melsoft_complete_clean_up_tool:*:*:*:*:*:*:*:*
mitsubishielectric melsoft_em_software_development_kit cpe:2.3:a:mitsubishielectric:melsoft_em_software_development_kit:*:*:*:*:*:*:*:*
mitsubishielectric melsoft_iq_appportal <= 1.17t cpe:2.3:a:mitsubishielectric:melsoft_iq_appportal:*:*:*:*:*:*:*:*
mitsubishielectric melsoft_navigator <= 2.74c cpe:2.3:a:mitsubishielectric:melsoft_navigator:*:*:*:*:*:*:*:*
mitsubishielectric mi_configurator cpe:2.3:a:mitsubishielectric:mi_configurator:*:*:*:*:*:*:*:*
mitsubishielectric motion_control_setting <= 1.005f cpe:2.3:a:mitsubishielectric:motion_control_setting:*:*:*:*:*:*:*:*
mitsubishielectric motorizer <= 1.005f cpe:2.3:a:mitsubishielectric:motorizer:*:*:*:*:*:*:*:*
mitsubishielectric mr_configurator2 <= 1.125f cpe:2.3:a:mitsubishielectric:mr_configurator2:*:*:*:*:*:*:*:*
mitsubishielectric mt_works2 <= 1.167z cpe:2.3:a:mitsubishielectric:mt_works2:*:*:*:*:*:*:*:*
mitsubishielectric mtconnect_data_collector <= 1.1.4.0 cpe:2.3:a:mitsubishielectric:mtconnect_data_collector:*:*:*:*:*:*:*:*
mitsubishielectric mx_component <= 4.20w cpe:2.3:a:mitsubishielectric:mx_component:*:*:*:*:*:*:*:*
mitsubishielectric mx_mesinterface <= 1.21x cpe:2.3:a:mitsubishielectric:mx_mesinterface:*:*:*:*:*:*:*:*
mitsubishielectric mx_mesinterface-r <= 1.12n cpe:2.3:a:mitsubishielectric:mx_mesinterface-r:*:*:*:*:*:*:*:*
mitsubishielectric mx_sheet <= 2.15r cpe:2.3:a:mitsubishielectric:mx_sheet:*:*:*:*:*:*:*:*
mitsubishielectric position_board_utility_2 cpe:2.3:a:mitsubishielectric:position_board_utility_2:*:*:*:*:*:*:*:*
mitsubishielectric px_developer <= 1.53f cpe:2.3:a:mitsubishielectric:px_developer:*:*:*:*:*:*:*:*
mitsubishielectric rt_toolbox2 <= 3.73b cpe:2.3:a:mitsubishielectric:rt_toolbox2:*:*:*:*:*:*:*:*
mitsubishielectric rt_toolbox3 <= 1.82l cpe:2.3:a:mitsubishielectric:rt_toolbox3:*:*:*:*:*:*:*:*
mitsubishielectric setting\/monitoring_tools_for_the_c_controller_module cpe:2.3:a:mitsubishielectric:setting\/monitoring_tools_for_the_c_controller_module:*:*:*:*:*:*:*:*
mitsubishielectric slmp_data_collector <= 1.04e cpe:2.3:a:mitsubishielectric:slmp_data_collector:*:*:*:*:*:*:*:*
mitsubishielectric gt_designer3 <= 1.241b cpe:2.3:a:mitsubishielectric:gt_designer3:*:*:*:*:*:*:*:*
mitsubishielectric network_interface_board_cc-link_ver.2_utility_firmware cpe:2.3:o:mitsubishielectric:network_interface_board_cc-link_ver.2_utility_firmware:*:*:*:*:*:*:*:*
mitsubishielectric network_interface_board_cc_ie_control_utility_firmware cpe:2.3:o:mitsubishielectric:network_interface_board_cc_ie_control_utility_firmware:*:*:*:*:*:*:*:*
mitsubishielectric network_interface_board_cc_ie_field_utility_firmware cpe:2.3:o:mitsubishielectric:network_interface_board_cc_ie_field_utility_firmware:*:*:*:*:*:*:*:*
mitsubishielectric network_interface_board_mneth_utility_firmware cpe:2.3:o:mitsubishielectric:network_interface_board_mneth_utility_firmware:*:*:*:*:*:*:*:*

References for CVE-2020-14521

cvelogic Threat Intelligence