Mitsubishi Electric MELSEC iQ-R Series

Act Now6.8ICS-CERT ICSA-20-317-01Nov 12, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC iQ-R series CPU modules due to uncontrolled resource consumption when processing requests to the web server function. The vulnerability affects R00/01/02 CPU firmware versions 5–10 and R04/08/16/32/120(EN) CPU firmware versions 35–51. Successful exploitation causes the device to become unresponsive, disrupting control system operations until the PLC is manually restarted. No authentication is required to trigger the condition.

What this means

What could happen

A remote attacker can trigger a denial-of-service condition on Mitsubishi Electric MELSEC iQ-R series PLCs, disrupting process monitoring and control until the device is restarted.

Who's at risk

Energy operators running Mitsubishi Electric MELSEC iQ-R series PLCs (R00, R01, R02, R04, R08, R16, R32, R120, R120EN) used for process control, monitoring, and automation. Any water utility or electric utility relying on these devices for critical operations is affected.

How it could be exploited

An attacker with network access to the web server port on the PLC can send specially crafted requests that consume system resources (CWE-400: Uncontrolled Resource Consumption), causing the device to become unresponsive. No authentication is required if the web server is enabled.

Prerequisites

Network access to the PLC's web server port (typically port 80 or 443)
Web server function enabled on the target PLC (can be disabled in configuration)
No authentication required

remotely exploitableno authentication requiredhigh EPSS score (18.4%)no patch available for older firmware versions

Exploitability

High exploit probability (EPSS 18.4%)

Affected products (2)

2 pending

ProductAffected VersionsFix Status

MELSEC iQ-R series CPU module products R04/08/16/32/120(EN) CPU: Firmware≥ 35 | ≤ 51No fix yet

MELSEC iQ-R series CPU module products R00/01/02 CPU: Firmware≥ 05 | ≤ 10No fix yet

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable the web server function if not needed by changing 'To Use or Not to Use Web Server' setting to 'Not Use'

HARDENINGRestrict network access to the PLC using a firewall; block all inbound access from untrusted networks and hosts

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC iQ-R R00/01/02 CPU to firmware version 20 or later

HOTFIXUpdate MELSEC iQ-R R04/08/16/32/120(EN) CPU to firmware version 52 or later

Long-term hardening

0/2

HARDENINGIsolate the PLC and control system network from the business network and the Internet

HARDENINGIf Internet access to the PLC is required, use a VPN with current security updates

CVEs (1)

CVE-2020-5666

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/235194ce-524e-4e6f-a8f9-9a7dad9d5d4b