Mitsubishi Electric Europe B.V. smartRTU and INEA ME-RTU

Act NowCVSS 9.8ICS-CERT ICSA-21-252-03Sep 9, 2021

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric smartRTU and INEA ME-RTU devices (firmware versions earlier than 3.3) contain multiple vulnerabilities including command injection (CWE-78), improper access control (CWE-284), cross-site scripting (CWE-79), hardcoded credentials (CWE-798), and weak privilege separation. These allow an attacker to gain remote code execution on the device without authentication, extract stored credentials, and use those credentials to access other connected RTUs and control systems. Known public exploits exist for these vulnerabilities.

What this means

What could happen

An attacker with network access to a smartRTU or INEA ME-RTU device could execute arbitrary commands on the device, allowing them to alter setpoints, disable alarms, manipulate control logic, or disrupt critical operations in energy systems. Attackers could also extract stored credentials to gain access to other networked RTUs and control systems.

Who's at risk

Energy utilities and municipal power systems using Mitsubishi Electric smartRTU or INEA ME-RTU devices for remote telemetry, monitoring, and control of substations, generation facilities, or distribution networks. Any facility relying on these RTUs for SCADA communications is at risk.

How it could be exploited

An attacker on the same network (or from the internet if the device is exposed) can send a specially crafted network request to the RTU without needing credentials. The vulnerability in command handling and authentication allows the attacker to run arbitrary commands directly on the device, bypassing access controls. Once inside, the attacker can extract credentials stored on the device and reuse them to compromise other RTUs or control systems on the network.

Prerequisites

Network access to the smartRTU or INEA ME-RTU device (direct or via compromised network segment)
Device running firmware version earlier than 3.3
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityknown public exploits availableaffects critical energy infrastructurehigh EPSS score (60.8%)all firmware versions before 3.3 affectedallows credential extraction for lateral movement

Exploitability

Likely to be exploited — EPSS score 60.8%

Affected products (1)

ProductAffected VersionsFix Status

smartRTU and INEA ME-RTU: all< 3.33.3+

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGIsolate all smartRTU and INEA ME-RTU devices from the internet and public networks using firewalls

WORKAROUNDIf remote access is required, implement a VPN connection with current security patches; monitor VPN access logs

HARDENINGScan for and rotate any credentials found on or transmitted by compromised RTUs across all networked control systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 3.3 or later on all smartRTU and INEA ME-RTU devices

Long-term hardening

0/1

HARDENINGPlace RTU devices behind firewalls on a dedicated, segmented OT network separate from business network

CVEs (7)

CVE-2019-14931 CVE-2019-14927 CVE-2019-14928 CVE-2019-14926 CVE-2019-14930 CVE-2019-14929 CVE-2019-14925

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fb580699-f706-4d6a-8d52-2f65aa55481d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.