Mitsubishi Electric MELSEC iQ-R Series

Risk Summary

Successful exploitation of these vulnerabilities could allow a remote attacker unauthorized access to legitimate usernames, CPU module access, or the ability to deny access to legitimate users.

CVEs (3)

Remediations

• Users of the affected products and versions may take measures through mitigations and workarounds. Mitsubishi Electric has released the fixed versions for CVE-2021-20594 and CVE-2021-20597 as shown below, but updating the product to the fixed version is not available.
• MELSEC iQ-R series Safety CPU R08/16/32/120SFCPU:Firmware versions "27" or later
• MELSEC iQ-R series SIL2 Process CPU R08/16/32/120PSFCPU:Firmware versions "12" or later
• Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting these vulnerabilities:
• Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.
• Use the IP filter function to restrict the accessible IP addresses. MELSEC iQ-R Ethernet User's Manual (Application) 1.13 Security "IP filter"
• Additional information about these vulnerabilities or Mitsubishi Electric's compensating control is available by contacting a Mitsubishi Electric representative.
• Users should refer to Mitsubishi Electric advisories 2021-008, 2021-009, and 2021-010 for further details.
• Register user information or change the password via USB. If you have already registered user information or changed the user's password via the network, change the password once via USB. This mitigation is applicable to CVE-2021-20597

Affected Vendors

Affected Products (16)

Affected Sectors

Critical Manufacturing