Mitsubishi Electric MELSEC iQ-R Series (Update D)

Plan Patch8.6ICS-CERT ICSA-20-282-02Nov 19, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in Mitsubishi Electric iQ-R series PLCs allows an attacker to send a crafted network request that causes resource exhaustion on the device, rendering it unresponsive to legitimate commands and queries. The vulnerability affects multiple iQ-R PLC models including R00CPU, R01CPU, R04CPU through R120CPU, as well as EN, F, P, and MT variant CPUs across all versions listed. No public exploitation has been reported, but the vulnerability requires only network access and no authentication. Mitsubishi Electric recommends updating to patched firmware versions specific to each CPU model and implementing firewall controls to restrict network access from untrusted sources.

What this means

What could happen

An attacker can cause the iQ-R PLC to stop responding to network requests, halting your ability to monitor or control industrial processes until the device is rebooted or power-cycled.

Who's at risk

Energy sector operators using Mitsubishi Electric iQ-R series programmable logic controllers (PLCs), including compact, mid-range, and multi-task CPU models. This affects any plant or facility where iQ-R PLCs manage generation, transmission, distribution, or water treatment processes.

How it could be exploited

An attacker with network access to an iQ-R PLC on ports used by Mitsubishi's protocol can send a specially crafted request that exhausts the device's resources, triggering a denial-of-service condition and making the PLC unresponsive.

Prerequisites

Network access to the iQ-R PLC from an untrusted network segment
No authentication required to send the malicious request

remotely exploitableno authentication requiredlow complexityno patch available for end-of-life modelsaffects industrial control systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (23)

23 with fix

ProductAffected VersionsFix Status

iQ-R series R00CPU: <=20≤ 2021 or later

iQ-R series R04CPU: <=52≤ 5253 or later

iQ-R series R08CPU: <=52≤ 5253 or later

iQ-R series R16CPU: <=52≤ 5253 or later

iQ-R series R32CPU: <=52≤ 5253 or later

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDConfigure firewall rules to block network access to iQ-R PLCs from untrusted networks and hosts; allow only known engineering workstations and SCADA servers

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate iQ-R series R00CPU and R01CPU firmware to version 21 or later

HOTFIXUpdate iQ-R series R04CPU, R08CPU, R16CPU, R32CPU, and R120CPU firmware to version 53 or later

HOTFIXUpdate iQ-R series R04ENCPU, R08ENCPU, R16ENCPU, R32ENCPU, and R120ENCPU firmware to version 53 or later

HOTFIXUpdate iQ-R series R08FCPU, R16FCPU, R32FCPU, and R120FCPU firmware to version 23 or later

HOTFIXUpdate iQ-R series R08PCPU, R16PCPU, R32PCPU, and R120PCPU firmware to version 26 or later

HOTFIXUpdate iQ-R series R16MTCPU, R32MTCPU, and R64MTCPU operating system software to version 22 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate iQ-R PLCs on a separate LAN segment with restricted access from corporate networks

CVEs (1)

CVE-2020-16850

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/98b86c4d-1c24-4f59-917d-f5d049fc508b