Mitsubishi Electric MELSEC-Q Series PLCs

Monitor7.5ICS-CERT ICSA-19-029-02Jan 29, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A Denial of Service (DoS) vulnerability in Mitsubishi Electric MELSEC-Q Series PLCs allows a remote attacker to send specially crafted packets via Ethernet, causing Ethernet and USB communication to stop. Affected models include Q03/04/06/13/26UDVCPU (serial ≤20081), Q04/06/13/26UDPVCPU (serial ≤20081), and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU (serial ≤20101). No patch is available; mitigation requires firewall protection and network segmentation.

What this means

What could happen

An attacker could stop Ethernet and USB communication to your PLC by sending malicious packets, disrupting process monitoring, remote control, and data transfer until the device is rebooted. This affects any critical operation that depends on continuous network connectivity to the PLC.

Who's at risk

Energy and manufacturing sectors operating Mitsubishi Electric MELSEC-Q Series PLCs (models Q03, Q04, Q06, Q10, Q13, Q20, Q26, Q50, Q100 UDVCPU, UDPVCPU, or UDEHCPU variants with serial numbers up to 20081 or 20101). Any facility using these PLCs for process control, monitoring, or automation is at risk of operational disruption.

How it could be exploited

An attacker on the network sends specially crafted Ethernet packets directly to the affected PLC's IP address. The device does not validate the packet content properly, and the invalid data causes the Ethernet and USB interfaces to stop responding, forcing a manual restart.

Prerequisites

Network access to the PLC's IP address over Ethernet (port unspecified, likely industrial protocol port)
No authentication required
PLC must be running affected firmware version

remotely exploitableno authentication requiredlow complexityno patch availableaffects process availability

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

Q04/06/13/26UDPVCPU: <=serial_number_20081≤ serial number 20081No fix (EOL)

Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: <=serial_number_20101≤ serial number 20101No fix (EOL)

Q03/04/06/13/26UDVCPU: <=serial_number_20081≤ serial number 20081No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDPlace affected PLCs behind a firewall and restrict inbound Ethernet access to only trusted engineering workstations and SCADA servers

HARDENINGIsolate PLC networks from business networks using air gaps or VLANs to prevent untrusted traffic from reaching the devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Mitsubishi Electric for firmware availability and plan upgrade during a scheduled maintenance window

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Q04/06/13/26UDPVCPU: <=serial_number_20081, Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: <=serial_number_20101, Q03/04/06/13/26UDVCPU: <=serial_number_20081. Apply the following compensating controls:

HARDENINGMonitor PLC availability and implement automated alerting if Ethernet or USB communication stops unexpectedly

HARDENINGReview and test network access controls to ensure only required protocols and sources can reach the PLC

CVEs (1)

CVE-2019-6535

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d4437654-7c1b-4d27-ad6b-ac7dc706e36f