Mitsubishi Electric MELSEC iQ-R Series C Controller Module (Update B)

Monitor6.8ICS-CERT ICSA-21-280-04Oct 7, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The MELSEC iQ-R Series C Controller Module R12CCPU-V is vulnerable to a resource exhaustion condition that can prevent the module from starting up. Successful exploitation could render the controller inoperable until a manual system reset is performed. This vulnerability affects firmware versions 16 and earlier. The vendor has not released a patch and does not plan to update this product line.

What this means

What could happen

An attacker could trigger a denial of service that prevents the R12CCPU-V controller module from starting up, requiring a manual system reset to restore operations. This affects any automated processes controlled by the affected module until recovery is complete.

Who's at risk

Energy sector operators using Mitsubishi Electric MELSEC iQ-R Series systems should care about this vulnerability. This affects the R12CCPU-V controller module, which is commonly used in manufacturing, power distribution, water treatment, and other critical infrastructure for process automation and control. Any facility relying on this module for continuous operation is at risk of unplanned downtime.

How it could be exploited

An attacker with network access to the controller module sends a specially crafted packet that triggers a resource exhaustion condition (CWE-400). This causes the module to fail to start or become unresponsive, requiring manual intervention to reset the system and restore control functionality.

Prerequisites

Network access to the R12CCPU-V controller module
No authentication required to send the exploit packet

remotely exploitableno authentication requiredlow complexityno patch availableaffects control systems

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (1)

ProductAffected VersionsFix Status

MELSEC iQ-R Series C Controller Module R12CCPU-V: Firmware≤ 16No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGDeploy firewalls to prevent external network access to the R12CCPU-V controller modules; restrict inbound traffic to only authorized engineering workstations and HMI systems

WORKAROUNDIf remote access is required, implement a VPN solution; ensure the VPN is configured securely and kept up to date with current patches

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor the controller module for unexpected resets or startup failures and establish documented procedures for recovery

Mitigations - no patch available

0/1

MELSEC iQ-R Series C Controller Module R12CCPU-V: Firmware has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation: place all MELSEC iQ-R controller modules on isolated control networks separated from business networks and the Internet

CVEs (1)

CVE-2021-20600

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c75b4b6e-64dc-4935-ac9b-12a672908e21