Mitsubishi Electric MELSEC iQ-R

Act Now9.8ICS-CERT ICSA-20-303-02Oct 29, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Mitsubishi Electric MELSEC iQ-R modules contain input validation and buffer overflow flaws (CWE-119, CWE-20, CWE-88) that allow remote attackers to trigger denial-of-service conditions or execute arbitrary code. Affected modules include: OPC UA Server (RD81OPC96), High Speed Data Logger (RD81DL96), EtherNet/IP Network Interface (RJ71EIP91), PROFINET IO Controller (RJ71PN92), and MES Interface (RD81MES96N). Only early production batches (serial numbers with first 2 digits 01–08 depending on module) are confirmed vulnerable. Successful exploitation could crash the module, disrupting communication, data logging, or manufacturing execution system integration. Mitsubishi Electric has not released patches for affected serial number ranges.

What this means

What could happen

An attacker with network access could stop MELSEC iQ-R modules from communicating (denial of service) or execute arbitrary code on the PLC, potentially disrupting power generation, distribution, or water treatment operations. Affected modules handle critical functions like OPC data export, network connectivity, and process logging.

Who's at risk

Energy utilities operating Mitsubishi Electric MELSEC iQ-R programmable logic controllers (PLCs) should be concerned, especially those using OPC UA, EtherNet/IP, PROFINET, data logging, or MES interface modules. Water utilities and power generation/distribution facilities relying on these PLCs for critical process control are at highest risk.

How it could be exploited

An attacker on the network reachable to the MELSEC iQ-R system sends specially crafted network packets to the vulnerable module. The module lacks proper input validation and authentication checks, allowing the attacker to trigger a crash or inject code without needing valid credentials or user interaction.

Prerequisites

Network access to the MELSEC iQ-R module (port/protocol depends on module type: OPC UA for RD81OPC96, EtherNet/IP for RJ71EIP91, PROFINET for RJ71PN92, etc.)
Module serial number manufactured during affected production batches (early serial numbers per product)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure (energy/water)multiple products affected

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

High Speed Data Logger Module RD81DL96: First 2 digits of serial number are 08 or before≤ first 2 digits of serial number are 08No fix (EOL)

PROFINET IO Controller Module RJ71PN92: First 2 digits of serial number are 01 or before≤ first 2 digits of serial number are 01No fix (EOL)

MES Interface Module RD81MES96N: First 2 digits of serial number are 04 or before≤ first 2 digits of serial number are 04No fix (EOL)

OPC UA Server Module RD81OPC96: First 2 digits of serial number are 04 or before≤ first 2 digits of serial number are 04No fix (EOL)

EtherNet/IP Network Interface Module RJ71EIP91: First 2 digits of serial number are 02 or before≤ first 2 digits of serial number are 02No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDImplement firewall rules to block untrusted network access to MELSEC iQ-R modules. Only allow connections from trusted engineering and SCADA networks.

HARDENINGPerform a network inventory to identify which MELSEC iQ-R modules are deployed and their serial number batches to determine exposure.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Mitsubishi Electric to obtain available firmware patches for affected modules and schedule an update window.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: High Speed Data Logger Module RD81DL96: First 2 digits of serial number are 08 or before, PROFINET IO Controller Module RJ71PN92: First 2 digits of serial number are 01 or before, MES Interface Module RD81MES96N: First 2 digits of serial number are 04 or before, OPC UA Server Module RD81OPC96: First 2 digits of serial number are 04 or before, EtherNet/IP Network Interface Module RJ71EIP91: First 2 digits of serial number are 02 or before. Apply the following compensating controls:

HARDENINGIsolate the MELSEC iQ-R PLC network from the business/corporate network using air-gap, VPN with strict access controls, or dedicated firewall rules.

HARDENINGEnsure MELSEC iQ-R systems are not accessible from the internet. Disable or restrict remote access unless absolutely required.

HARDENINGIf remote access is necessary, use a VPN with strong authentication and keep the VPN software patched.

CVEs (6)

CVE-2020-5653 CVE-2020-5654 CVE-2020-5655 CVE-2020-5656 CVE-2020-5657 CVE-2020-5658

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e8f50a10-fc02-4fa6-a305-c3f913657349