OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L and FX Series CPU Modules (Update A)

Act Now10ICS-CERT ICSA-20-175-01Jun 23, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Mitsubishi Electric MELSEC iQ-R, iQ-F, Q, L, and FX series CPU modules do not encrypt or require authentication for communication. This allows an attacker with network access to send commands to the module, read its memory, modify configurations, or cause denial of service. Successful exploitation could result in information disclosure, unauthorized operation, process tampering, or complete loss of control.

What this means
What could happen
An attacker with network access to the CPU module could read sensitive data from the PLC, modify configurations or program logic, execute unauthorized commands, or crash the controller, potentially disrupting plant operations or altering critical process behavior.
Who's at risk
Water and electric utilities, municipal facilities, and any organization running Mitsubishi MELSEC iQ-R, iQ-F, Q, L, or FX series PLCs/CPUs. This affects any critical process controlled by these modules—pumping stations, substation controls, process automation, and safety interlocks.
How it could be exploited
An attacker on the network sends unencrypted communication to the Mitsubishi CPU module (port 502 or proprietary port). The module accepts the request without authentication or encryption, allowing the attacker to read/write memory, alter parameters, or trigger denial of service.
Prerequisites
  • Network access to the CPU module on its native protocol port (typically port 502 or Mitsubishi proprietary ports)
  • No authentication required
  • No encryption required on the communication channel
remotely exploitableno authentication requiredlow complexityno patch availableaffects all affected product versionscritical CVSS score (10.0)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
MELSEC iQ-R iQ-F Q L and FX series CPU modules: all versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDImplement VPN or encrypted tunnel for all communication to the CPU module
HARDENINGRestrict network access to the CPU module using firewall rules—allow only from engineering workstations and authorized remote access points
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the control system network from the business network using air gap, VLAN, or firewall
HARDENINGDisable remote access to the CPU module if not required
Mitigations - no patch available
0/1
MELSEC iQ-R iQ-F Q L and FX series CPU modules: all versions has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGMonitor for suspicious communication patterns on native protocol ports to the CPU module
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/8c57a218-b651-459b-b620-61f2fcb00c94