Mitsubishi Electric MELSEC-Q Series and MELSEC-L Series CPU Modules
Monitor7.5ICS-CERT ICSA-19-311-01Nov 7, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The MELSEC-Q Series and MELSEC-L Series CPU modules contain a denial-of-service vulnerability in the FTP client functionality. Successful exploitation prevents the FTP client from connecting to the FTP server on affected modules. The vulnerability affects Q04/06/13/26UDPVCPU, L02/06/26CPU, and related variants with firmware serial numbers 21081 (Q-series) or 21101 (L-series) and prior. Mitsubishi Electric reports that new firmware has been produced but has not publicly released version numbers or patch details. Affected devices should be isolated behind firewalls to limit FTP accessibility.
What this means
What could happen
An attacker could disrupt FTP communication to the PLC, preventing file transfers needed for firmware updates, program changes, or remote diagnostics on critical process control systems. This can effectively lock operators out of remote management and troubleshooting capabilities.
Who's at risk
Operators at water authorities and electric utilities using Mitsubishi Electric MELSEC-Q Series (models Q04/06/13/26UDPVCPU, Q03/04/06/13/26UDVCPU, Q03UDECPU, and Q04/06/10/13/20/26/50/100UDEHCPU) and MELSEC-L Series (models L02/06/26CPU and variants) CPU modules for process control and remote management. The vulnerability affects devices with firmware serial numbers up to and including 21081 (Q-series) or 21101 (L-series).
How it could be exploited
An attacker with network access to the FTP service on the MELSEC CPU module can send a specially crafted request that causes the FTP client to fail to connect to the FTP server, disrupting remote communication and file transfer functions that operators rely on for system administration.
Prerequisites
- Network access to port 21 (FTP) or the FTP service port on the MELSEC CPU module
- The affected CPU module must be running firmware at or below the stated serial number threshold (21081 for Q-series, 21101 for L-series)
remotely exploitableno authentication requiredlow complexityno patch availableaffects critical process control
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
Q03UDECPU Q04/06/10/13/20/26/50/100UDEHCPU: serial number 21081 and prior≤ 21081No fix (EOL)
L02/06/26CPU-CM L26CPU-BT-CM: serial number 21101 and prior≤ 21101No fix (EOL)
Q04/06/13/26UDPVCPU: serial number 21081 and prior≤ 21081No fix (EOL)
Q03/04/06/13/26UDVCPU: serial number 21081 and prior≤ 21081No fix (EOL)
L02/06/26CPU L26CPU-BT: serial number 21101 and prior≤ 21101No fix (EOL)
L02/06/26CPU-P L26CPU-PBT: serial number 21101 and prior≤ 21101No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGOperate the affected MELSEC CPU module behind a firewall that restricts inbound FTP traffic to only authorized sources
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HARDENINGIsolate MELSEC CPU modules from the business network and internet; place on a segregated control system network
HOTFIXContact your local Mitsubishi Electric representative to inquire about available firmware updates or patches for your specific equipment serial numbers
HARDENINGIf remote access is necessary, implement a VPN to reach the control system network, ensuring the VPN is kept current with security updates
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/33bf1060-4a18-4735-afae-38fd34391bd8