Mitsubishi Electric Multiple Products (Update G)
Plan Patch7.3ICS-CERT ICSA-20-245-01Sep 1, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A weak TCP session initiation mechanism in multiple Mitsubishi Electric products allows an attacker to hijack TCP sessions and execute remote commands. The vulnerability affects dozens of industrial control products including programmable logic controllers (PLCs), human-machine interfaces (HMIs), network modules, servo drives, variable frequency drives (VFDs), and conveyor tracking applications. CWE-342 (Predictable Exact Value).
What this means
What could happen
An attacker with network access can hijack TCP sessions to devices and execute arbitrary commands, potentially disrupting process control, stopping equipment, or causing unsafe operating conditions. This could halt production, damage equipment, or create safety hazards depending on what the affected device controls.
Who's at risk
Manufacturing plants and energy utilities operating Mitsubishi Electric industrial control products should be concerned. This includes users of Q-series and L-series PLCs, FX-series compact controllers, FR-series variable frequency drives, servo drives (MR-J series), network modules, and GOT-series HMIs. Equipment affected includes discrete manufacturing lines, process control systems, power generation/distribution, and conveyor systems.
How it could be exploited
An attacker reachable on the same network as the affected device can predict or intercept TCP session parameters, inject malicious commands into the session, and take control of the device's operations. No credentials are required if the device is not already protected by network segmentation or firewall rules.
Prerequisites
- Network access to the affected device (same LAN or routable network path)
- Device must be actively communicating via TCP/IP
- No authentication required
Remotely exploitableNo authentication requiredLow complexityNo patch available for most productsAffects core control systems (PLCs, HMIs, drives)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (104)
4 with fix100 pending
ProductAffected VersionsFix Status
QJ71MES96: vers:all/*All versionsNo fix yet
QJ71WS96: vers:all/*All versionsNo fix yet
Q06CCPU-V: vers:all/*All versionsNo fix yet
Q24DHCCPU-V: <=the_first_5_digits_of_serial_number_24031≤ the first 5 digits of serial number 24031No fix yet
Q24DHCCPU-VG: <=the_first_5_digits_of_serial_number_24031≤ the first 5 digits of serial number 24031No fix yet
Remediation & Mitigation
0/6
Do now
0/4HARDENINGIsolate affected devices within a trusted LAN; do not expose them to untrusted networks or the Internet.
WORKAROUNDConfigure firewall rules to restrict TCP/IP access to affected devices; allow only known engineering workstations and control systems.
HARDENINGRestrict physical access to devices by storing in locked cabinets and sealing unused Ethernet ports.
WORKAROUNDFor products with no fix available (QJ71MES96, QJ71WS96, Q06CCPU-V, NZ2FT-MT, NZ2FT-EIP, FX3U-ENET-ADP, FX3GE, GOT1000 GT14, Conveyor Tracking Applications APR-1TR/2TR series, MR-JE-C, MR-J4-TM, and others): implement compensating controls such as network segmentation and firewall rules to prevent unauthorized TCP sessions.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXFor FX5U, FX5U(C), FX5UC-32M, FX5UJ, RD55UP, R12CCPU-V, RJ71GN11-T2, RnCPU, RnENCPU, RnSFCPU, RnPCPU, RnPSFCPU, FX3U-ENET variants, FX5-ENET, FX5-ENET/IP, FX5-CCLGN-MS, RJ71EN71, QnUDEHCPU, QnUDVCPU, QnUDPVCPU, LnCPU variants, QJ71E71-100, LJ71E71-100, QJ71MT91, NZ2GACP620, LE7-40GU-L, GOT2000/GS21/GT25-J71GN13-T2, RD78G, FR-A/F800-E/FR-A8NCG/FR-E800 series: update to the specified fixed version when maintenance window is available.
Long-term hardening
0/1HARDENINGInstall and maintain antivirus software on engineering workstations used to access affected products.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9c65e37e-f6b9-48c9-a605-531433e4697f