← Back to home
ICSA-22-356-03  ·  Published 2024-09-05  ·  View on CISA ICS-CERT ↗

Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update E)

CVSS 7.5 HIGH

Risk Summary

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition in the module's ethernet communication.

CVEs (1)

Remediations

  • Mitsubishi Electric fixed the following products:
  • MELSEC iQ-R Series R00CPU: firmware versions 33 or later
  • MELSEC iQ-R Series R01CPU: firmware versions 33 or later
  • MELSEC iQ-R Series R02CPU: firmware versions 33 or later
  • MELSEC iQ-R Series R04(EN)CPU: firmware versions 66 or later
  • MELSEC iQ-R Series R08(EN)CPU: firmware versions 66 or later
  • MELSEC iQ-R Series R16(EN)CPU: firmware versions 66 or later
  • MELSEC iQ-R Series R32(EN)CPU: firmware versions 66 or later
  • MELSEC iQ-R Series R120(EN)CPU: firmware versions 66 or later
  • MELSEC iQ-R Series R08SFCPU: firmware versions 30 or later
  • MELSEC iQ-R Series R16SFCPU: firmware versions 30 or later
  • MELSEC iQ-R Series R32SFCPU: firmware versions 30 or later
  • MELSEC iQ-R Series R120SFCPU: firmware versions 30 or later
  • MELSEC iQ-R Series R08PSFCPU: firmware versions 09 or later
  • MELSEC iQ-R Series R16PSFCPU: firmware versions 09 or later
  • MELSEC iQ-R Series R32PSFCPU: firmware versions 09 or later
  • MELSEC iQ-R Series R120PSFCPU: firmware versions 09 or later
  • MELSEC iQ-R Series R12CCPU-V: firmware versions 18 or later
  • MELSEC iQ-L Series L04HCPU: firmware versions 06 or later
  • MELSEC iQ-L Series L08HCPU: firmware versions 06 or later
  • MELSEC iQ-L Series L16HCPU: firmware versions 06 or later
  • MELSEC iQ-L Series L32HCPU: firmware versions 06 or later
  • MELIPC Series MI5122-VW: firmware versions 08 or later
  • Mitsubishi Electric offers the following countermeasures for users:
  • MELSEC iQ-R series products: Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual to check if the firmware version of your product is updatable. For updatable products: Download a fixed firmware update file from the Mitsubishi Electric site and update the firmware. Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual for information on how to update the firmware. For non-updatable products: Follow the mitigation measures below. Mitsubishi Electric has released fixed versions as shown above, but the products cannot be updated.
  • For updatable products: Download a fixed firmware update file from the Mitsubishi Electric site and update the firmware. Refer to "Appendix 2 Firmware Update Function" in the MELSEC iQ-R Module Configuration Manual for information on how to update the firmware.
  • For non-updatable products: Follow the mitigation measures below. Mitsubishi Electric has released fixed versions as shown above, but the products cannot be updated.
  • MELIPC Series or MELSEC iQ-L Series products: Follow the mitigation measures below. Mitsubishi Electric has released fixed versions as shown above, but the products cannot be updated.
  • Mitsubishi Electric recommends users take mitigation measures to minimize the risk of exploiting this vulnerability:
  • Use a firewall, virtual private network (VPN), or other means to prevent unauthorized access when internet access is required.
  • Use the product inside a local area network (LAN) and use firewalls to block access from untrusted networks and hosts.
  • Use an IP filter function to block access from untrusted hosts. For details on the remote password function and IP filter function, users can refer to the following manual for each product: MELSEC iQ-R Ethernet User's Manual (Application) 1.13 Security "IP filter." MELSEC iQ-L CPU module User's Manual (Application) 24.1 "IP filter Function." MELSEC iQ-R C Controller Module User's Manual (Application) 6.6 Security Function "IP filter." MELIPC MI5000 Series User's Manual (Application) "11.3 IP Filter Function."
  • MELSEC iQ-R Ethernet User's Manual (Application) 1.13 Security "IP filter."
  • MELSEC iQ-L CPU module User's Manual (Application) 24.1 "IP filter Function."
  • MELSEC iQ-R C Controller Module User's Manual (Application) 6.6 Security Function "IP filter."
  • MELIPC MI5000 Series User's Manual (Application) "11.3 IP Filter Function."
  • For specific update instructions and additional details, see Mitsubishi Electric advisory 2022-018.

Affected Vendors

Mitsubishi Electric

Affected Products (22)

Mitsubishi Electric · MELSEC iQ-R Series R00CPU <=firmware_32
Mitsubishi Electric · MELSEC iQ-R Series R01CPU <=firmware_32
Mitsubishi Electric · MELSEC iQ-R Series R02CPU <=firmware_32
Mitsubishi Electric · MELSEC iQ-R Series R04(EN)CPU <=firmware_65
Mitsubishi Electric · MELSEC iQ-R Series R08(EN)CPU <=firmware_65
Mitsubishi Electric · MELSEC iQ-R Series R16(EN)CPU <=firmware_65
Mitsubishi Electric · MELSEC iQ-R Series R32(EN)CPU <=firmware_65
Mitsubishi Electric · MELSEC iQ-R Series R120(EN)CPU <=firmware_65
Mitsubishi Electric · MELSEC iQ-R Series R08SFCPU <=firmware_29
Mitsubishi Electric · MELSEC iQ-R Series R16SFCPU <=firmware_29
Mitsubishi Electric · MELSEC iQ-R Series R32SFCPU <=firmware_29
Mitsubishi Electric · MELSEC iQ-R Series R120SFCPU <=firmware_29
Mitsubishi Electric · MELSEC iQ-R Series R08PSFCPU <=firmware_08
Mitsubishi Electric · MELSEC iQ-R Series R16PSFCPU <=firmware_08
Mitsubishi Electric · MELSEC iQ-R Series R32PSFCPU <=firmware_08
Mitsubishi Electric · MELSEC iQ-R Series R120PSFCPU <=firmware_08
Mitsubishi Electric · MELSEC iQ-R Series R12CCPU-V <=firmware_17
Mitsubishi Electric · MELSEC iQ-L Series L04HCPU (sold in limited regions) <=firmware_05
Mitsubishi Electric · MELSEC iQ-L Series L08HCPU (sold in limited regions) <=firmware_05
Mitsubishi Electric · MELSEC iQ-L Series L16HCPU (sold in limited regions) <=firmware_05
Mitsubishi Electric · MELSEC iQ-L Series L32HCPU (sold in limited regions) <=firmware_05
Mitsubishi Electric · MELIPC Series MI5122-VW <=firmware_07

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more