← Back to home
ICSA-23-143-03  ·  Published 2024-04-25  ·  View on CISA ICS-CERT ↗

Mitsubishi Electric MELSEC Series CPU module (Update D)

CVSS 10.0 CRITICAL

Risk Summary

Successful exploitation of this vulnerability could allow a remote attacker to cause a denial-of-service condition or execute malicious programs on a target product by sending specially crafted packets.

CVEs (1)

Remediations

  • Mitsubishi Electric created the following firmware versions to address this issue and encourages users to update:
  • MELSEC iQ-F Series: firmware version 1.290.
  • MELSEC iQ-R Series R00CPU: firmware version 36 or later.
  • MELSEC iQ-R Series R01CPU: firmware version 36 or later.
  • MELSEC iQ-R Series R02CPU: firmware version 36 or later.
  • MELSEC iQ-R Series R04(EN)CPU: firmware version 69 or later.
  • MELSEC iQ-R Series R08(EN)CPU: firmware version 69 or later.
  • MELSEC iQ-R Series R16(EN)CPU: firmware version 69 or later.
  • MELSEC iQ-R Series R32(EN)CPU: firmware version 69 or later.
  • MELSEC iQ-R Series R120(EN)CPU: firmware version 69 or later.
  • MELSEC iQ-R Series R08SFCPU: firmware version 32 or later.
  • MELSEC iQ-R Series R16SFCPU: firmware version 32 or later.
  • MELSEC iQ-R Series R32SFCPU: firmware version 32 or later.
  • MELSEC iQ-R Series R120SFCPU: firmware version 32 or later.
  • MELSEC iQ-R Series R08PCPU: firmware version 38 or later.
  • MELSEC iQ-R Series R16PCPU: firmware version 38 or later.
  • MELSEC iQ-R Series R32PCPU: firmware version 38 or later.
  • MELSEC iQ-R Series R120PCPU: firmware version 38 or later.
  • In case of using the affected MELSEC iQ-R Series R08/16/32/120SFCPU, take mitigations and workarounds measures because updating the product to the fixed version is not available.
  • Users should refer to the following manuals when updating: (1) "9 FIRMWARE UPDATE FUNCTION" in the MELSEC iQ-F FX5 User's Manual (Application) and (2) MELSEC iQ-R Module Configuration Manual "Appendix 2: Firmware Update Function."
  • Mitsubishi Electric recommends that customers take the following mitigation measures to minimize the risk of exploiting this vulnerability:
  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Restrict physical access to the LAN that is connected by affected products.
  • Use IP filter function to block access from untrusted hosts. For details regarding the IP filter function, users can refer to: "13.1 IP Filter Function" in the MELSEC iQ-F FX5 User's Manual (Communication). "1.13 Security"-"IP filter" in the MELSEC iQ-R Ethernet User's Manual (Application).
  • "13.1 IP Filter Function" in the MELSEC iQ-F FX5 User's Manual (Communication).
  • "1.13 Security"-"IP filter" in the MELSEC iQ-R Ethernet User's Manual (Application).
  • For specific update instructions and additional details see the Mitsubishi Electric advisory.

Affected Vendors

Mitsubishi Electric Corporation

Affected Products (43)

Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MT/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MT/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MT/ESS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MR/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-32MR/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MT/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MT/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MT/ESS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MR/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-64MR/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MT/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MT/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MT/ESS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MR/ES, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5U-80MR/DS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-32MT/D, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-32MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-64MT/D, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-64MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-96MT/D, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-96MT/DSS, Serial number 17X**** or later >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-32MT/DS-TS >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-32MT/DSS-TS >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-F Series FX5UC-32MR/DS-TS >=1.220|<=1.281
Mitsubishi Electric Corporation · MELSEC iQ-R Series R00CPU <=35
Mitsubishi Electric Corporation · MELSEC iQ-R Series R01CPU <=35
Mitsubishi Electric Corporation · MELSEC iQ-R Series R02CPU <=35
Mitsubishi Electric Corporation · MELSEC iQ-R Series R04(EN)CPU >=12|<=68
Mitsubishi Electric Corporation · MELSEC iQ-R Series R08(EN)CPU >=12|<=68
Mitsubishi Electric Corporation · MELSEC iQ-R Series R16(EN)CPU >=12|<=68
Mitsubishi Electric Corporation · MELSEC iQ-R Series R32(EN)CPU >=12|<=68
Mitsubishi Electric Corporation · MELSEC iQ-R Series R120(EN)CPU >=12|<=68
Mitsubishi Electric Corporation · MELSEC iQ-R Series R08SFCPU >=26|<=31
Mitsubishi Electric Corporation · MELSEC iQ-R Series R16SFCPU >=26|<=31
Mitsubishi Electric Corporation · MELSEC iQ-R Series R32SFCPU >=26|<=31
Mitsubishi Electric Corporation · MELSEC iQ-R Series R120SFCPU >=26|<=31
Mitsubishi Electric Corporation · MELSEC iQ-R Series R08PCPU >=3|<=37
Mitsubishi Electric Corporation · MELSEC iQ-R Series R16PCPU >=3|<=37
Mitsubishi Electric Corporation · MELSEC iQ-R Series R32PCPU >=3|<=37
Mitsubishi Electric Corporation · MELSEC iQ-R Series R120PCPU >=3|<=37

Affected Sectors

Critical Manufacturing

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more