Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules

MonitorCVSS 7.5ICS-CERT ICSA-19-311-01Nov 7, 2019

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MELSEC-Q Series and MELSEC-L Series CPU modules contain a denial-of-service vulnerability in the FTP client functionality. Successful exploitation prevents the FTP client from connecting to the FTP server on affected modules. The vulnerability affects Q04/06/13/26UDPVCPU, L02/06/26CPU, and related variants with firmware serial numbers 21081 (Q-series) or 21101 (L-series) and prior. Mitsubishi Electric reports that new firmware has been produced but has not publicly released version numbers or patch details. Affected devices should be isolated behind firewalls to limit FTP accessibility.

What this means

What could happen

An attacker could disrupt FTP communication to the PLC, preventing file transfers needed for firmware updates, program changes, or remote diagnostics on critical process control systems. This can effectively lock operators out of remote management and troubleshooting capabilities.

Who's at risk

Operators at water authorities and electric utilities using Mitsubishi Electric MELSEC-Q Series (models Q04/06/13/26UDPVCPU, Q03/04/06/13/26UDVCPU, Q03UDECPU, and Q04/06/10/13/20/26/50/100UDEHCPU) and MELSEC-L Series (models L02/06/26CPU and variants) CPU modules for process control and remote management. The vulnerability affects devices with firmware serial numbers up to and including 21081 (Q-series) or 21101 (L-series).

How it could be exploited

An attacker with network access to the FTP service on the MELSEC CPU module can send a specially crafted request that causes the FTP client to fail to connect to the FTP server, disrupting remote communication and file transfer functions that operators rely on for system administration.

Prerequisites

Network access to port 21 (FTP) or the FTP service port on the MELSEC CPU module
The affected CPU module must be running firmware at or below the stated serial number threshold (21081 for Q-series, 21101 for L-series)

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical process control

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

Q03UDECPU Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior≤ 21081No fix (EOL)

L02/06/26CPU-CM L26CPU-BT-CM: serial number 21101 and prior≤ 21101No fix (EOL)

Q04/06/13/26UDPVCPU: serial number 21081 and prior≤ 21081No fix (EOL)

Q03/04/06/13/26UDVCPU: serial number 21081 and prior≤ 21081No fix (EOL)

L02/06/26CPU L26CPU-BT: serial number 21101 and prior≤ 21101No fix (EOL)

L02/06/26CPU-P L26CPU-PBT: serial number 21101 and prior≤ 21101No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGOperate the affected MELSEC CPU module behind a firewall that restricts inbound FTP traffic to only authorized sources

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HARDENINGIsolate MELSEC CPU modules from the business network and internet; place on a segregated control system network

HOTFIXContact your local Mitsubishi Electric representative to inquire about available firmware updates or patches for your specific equipment serial numbers

HARDENINGIf remote access is necessary, implement a VPN to reach the control system network, ensuring the VPN is kept current with security updates

CVEs (1)

CVE-2019-13555

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/33bf1060-4a18-4735-afae-38fd34391bd8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.