Skip to main content

MR-GM5L-S1, MR-GM5A-L1 CVE-2026-20892

HIGH
Code Injection (CWE-94)
2026-03-11 vultures@jpcert.or.jp
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
Apr 30, 2026 - 16:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 30, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Apr 30, 2026 - 16:22 NVD
7.2 (HIGH) 8.6 (HIGH)
Analysis Generated
Mar 12, 2026 - 22:06 vuln.today
CVE Published
Mar 11, 2026 - 06:17 nvd
HIGH 7.2

DescriptionCVE.org

Code injection vulnerability exists in MR-GM5L-S1 and MR-GM5A-L1, which may allow an attacker with administrative privileges to execute arbitrary commands.

AnalysisAI

Code injection in MitsubishiChemical network devices MR-GM5L-S1 and MR-GM5A-L1 allows authenticated administrators to execute arbitrary commands via crafted inputs. While requiring high-privilege access (CVSS:4.0 PR:H), successful exploitation achieves complete system compromise with high confidentiality, integrity, and availability impact. EPSS score of 0.05% (16th percentile) indicates low probability of mass exploitation. No active exploitation or public proof-of-concept identified at time of analysis, though JPCERT/CC coordination suggests vendor awareness and patch availability.

Technical ContextAI

This is a CWE-94 code injection vulnerability affecting Mitsubishi Chemical's MR-GM5L-S1 and MR-GM5A-L1 network devices, likely industrial automation or building management equipment based on the vendor profile. Code injection occurs when user-supplied input is improperly validated before being passed to an interpreter or execution context. In administrative interfaces, this commonly manifests in command-line utilities, configuration parsers, script execution features, or system management functions where input sanitization is inadequate. The CVSS:4.0 vector indicates network-accessible exploitation (AV:N) with low attack complexity (AC:L) but requires high privileges (PR:H), suggesting the vulnerability exists in authenticated administrative functionality rather than guest-accessible interfaces. The attack does not require special timing conditions (AT:N) or user interaction (UI:N), and scope remains unchanged (SC:N/SI:N/SA:N), meaning exploitation is confined to the vulnerable component's security context.

Affected ProductsAI

Mitsubishi Chemical network devices MR-GM5L-S1 and MR-GM5A-L1 are confirmed affected. The vendor advisory from Mitsubishi Chemical (https://www.mrl.co.jp/download/security/JVNVU98103854.pdf) and JPCERT/CC coordination notice (https://jvn.jp/en/vu/JVNVU98103854/) provide official confirmation. Specific firmware versions are not detailed in the NVD record, suggesting all currently deployed versions may be vulnerable pending vendor clarification. Organizations should consult the Japanese-language vendor security bulletin for complete version enumeration and affected product configurations.

RemediationAI

Apply vendor-supplied security updates from Mitsubishi Chemical's official security advisory at https://www.mrl.co.jp/download/security/JVNVU98103854.pdf. The coordination through JPCERT/CC (https://jvn.jp/en/vu/JVNVU98103854/) indicates patches or mitigations have been developed. Until patching is complete, implement compensating controls: restrict administrative interface access to dedicated management VLANs or jump hosts with multi-factor authentication; enforce principle of least privilege by creating role-based access controls rather than sharing full administrative credentials; enable comprehensive logging of all administrative actions for forensic detection; deploy network segmentation to isolate these devices from untrusted networks; implement IP whitelisting for administrative access if remote management is required. Note that access restrictions may complicate legitimate remote troubleshooting and require coordination with operational teams. Monitor vendor communications for firmware update notifications and test patches in non-production environments before deployment to critical systems.

Share

CVE-2026-20892 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy