Mitsubishi Electric MELSEC-F Series

Plan Patch7.5ICS-CERT ICSA-21-201-01Jul 20, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A null pointer dereference vulnerability (CWE-476) in Mitsubishi Electric FX3U-ENET family Ethernet communication modules allows a remote attacker to cause a denial-of-service condition, forcing loss of PLC communication and requiring manual system reset. The FX3U-ENET, FX3U-ENET-L, and FX3U-ENET-P502 devices with firmware version 1.14 and earlier are vulnerable. Exploitation does not require authentication.

What this means

What could happen

A remote attacker can cause the Ethernet gateway modules to lose communication or require a system restart, disrupting PLC connectivity and potentially halting automated control of water treatment or power distribution equipment.

Who's at risk

Energy sector operators running water treatment or power distribution systems with Mitsubishi FX3U-ENET family Ethernet gateway modules. These devices provide remote monitoring and control connectivity; disruption can halt automated processes and require on-site manual recovery.

How it could be exploited

An attacker with network access to the Ethernet module (port 502 or common Modbus TCP port) can send a malformed packet that triggers a null pointer dereference (CWE-476), crashing the communication interface. The module must be manually reset to restore operation.

Prerequisites

Network-accessible Ethernet gateway module (FX3U-ENET family)
No authentication required
Device running vulnerable firmware version 1.14 or earlier

remotely exploitableno authentication requiredlow complexityno patch availabledenial of service

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

FX3U-ENET-P502: Firmware≤ 1.141.16 or later

FX3U-ENET-L: Firmware≤ 1.141.16 or later

FX3U-ENET: Firmware≤ 1.141.16 or later

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDImplement firewall rules to block all untrusted external access to port 502 and Modbus TCP ports on Ethernet gateway modules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FX3U-ENET, FX3U-ENET-L, and FX3U-ENET-P502 firmware to version 1.16 or later

HARDENINGIsolate PLC Ethernet modules from the business network and Internet; restrict access to engineering workstations only

Long-term hardening

0/1

HARDENINGIf Internet access to the PLC is required, use a VPN with the latest available security updates

CVEs (1)

CVE-2021-20596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c6e603ee-4de7-4029-9373-fa4084bf52ad