Mitsubishi Electric MELFA (Update A)
Monitor7.5ICS-CERT ICSA-21-021-04Jan 21, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Denial-of-service vulnerability in Mitsubishi Electric MELFA FR Series, MELFA CR Series, and MELFA ASSISTA industrial robots. All versions are affected. The vulnerability can be exploited remotely without authentication or user interaction. No patch is available from the vendor. Mitigation requires network isolation and IP filtering via firewall rules or the product's built-in IP filter function (available in firmware version C2 or later).
What this means
What could happen
An attacker could remotely stop a robot arm, halting production until the device is manually restarted, affecting manufacturing lines, welding operations, or assembly processes that depend on the robot.
Who's at risk
Manufacturing operations using Mitsubishi Electric MELFA FR Series, MELFA CR Series, or MELFA ASSISTA industrial robots for welding, assembly, material handling, or other automated tasks. This affects energy sector facilities, automotive plants, and any facility using these robot arms in critical production workflows.
How it could be exploited
An attacker with network access to the robot's control port can send a specially crafted packet that crashes the robot's operating system or network stack, causing a denial-of-service. No authentication is required. The attack can be performed from any host that can reach the robot's IP address on the network.
Prerequisites
- Network access to the MELFA robot's control port (typically port 502 or manufacturer-default ports)
- No authentication required
- Robot must be reachable from attacker's network segment or from the Internet if not behind a firewall
remotely exploitableno authentication requiredlow complexityno patch availableaffects manufacturing operations
Exploitability
Moderate exploit probability (EPSS 2.0%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA FR SeriesAll versionsNo fix (EOL)
MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA CR SeriesAll versionsNo fix (EOL)
MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA ASSISTAAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDeploy a firewall rule to block all inbound connections to the robot from untrusted networks and the Internet. Restrict robot access to only authorized engineering workstations and control systems on the plant LAN.
WORKAROUNDIf Internet connectivity to the robot is necessary, use a VPN tunnel with firewall rules to restrict which hosts can access the robot.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGUpgrade robot firmware to version C2 or later to enable the built-in IP filter function, then configure IP filter rules to allow only authorized hosts.
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA FR Series, MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA CR Series, MELFA FR Series, MELFA CR Series, MELFA ASSISTA - MELFA ASSISTA. Apply the following compensating controls:
HARDENINGIsolate the robot on a separate, air-gapped LAN segment or DMZ that does not have direct routes to the Internet or untrusted office networks.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4f0f5cc9-4bbb-4f1b-9261-8ccc5272d5a8