Mitsubishi Electric MELSEC iQ-R Series

Plan PatchCVSS 9.1ICS-CERT ICSA-21-287-03Aug 6, 2021

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the authentication mechanism of Mitsubishi Electric MELSEC iQ-R series Safety and SIL2 Process CPUs allows a remote attacker to obtain credentials and log in to the CPU module. The affected products include Safety CPU models R08/16/32/120SFCPU (firmware ≤26) and SIL2 Process CPU models R08/16/32/120PSFCPU (firmware ≤11). Exploitation could lead to unauthorized access and control of safety-critical and process control logic. Mitsubishi Electric states that updating the affected products to fixed firmware versions is not available, leaving only mitigation measures as interim protection.

What this means

What could happen

An attacker with network access could obtain credentials and log into your safety or process CPU, potentially enabling manipulation of process setpoints, safety logic, or triggering unplanned shutdowns of critical manufacturing or energy infrastructure.

Who's at risk

Energy sector operators and manufacturing facilities using Mitsubishi Electric MELSEC iQ-R series Safety CPUs (R08/16/32/120SFCPU) or SIL2 Process CPUs (R08/16/32/120PSFCPU) in critical automation and process control applications.

How it could be exploited

An attacker on the network sends authentication requests to the CPU module. The vulnerability in the authentication mechanism allows credential theft or bypass, granting the attacker login access to the CPU where they can execute commands or modify control logic.

Prerequisites

Network connectivity to the CPU module port
No valid user credentials required for initial exploitation

remotely exploitableno authentication requiredlow complexityaffects safety systemsno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (8)

8 with fix8 EOL

ProductAffected VersionsFix Status

MELSEC iQ-R series Safety CPU R08SFCPU Firmware: <=26≤ 2627

MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26≤ 2627

MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26≤ 2627

MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26≤ 2627

MELSEC iQ-R series SIL2 Process CPU R16PSFCPU Firmware: <=11≤ 1112

MELSEC iQ-R series SIL2 Process CPU R32PSFCPU Firmware: <=11≤ 1112

MELSEC iQ-R series SIL2 Process CPU R120PSFCPU Firmware: <=11≤ 1112

MELSEC iQ-R series SIL2 Process CPU R08PSFCPU Firmware: <=11≤ 1112

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDBlock network access to the CPU module from untrusted networks and hosts using firewall rules

WORKAROUNDDeploy a VPN if Internet access to the CPU module is required

WORKAROUNDConfigure IP filter function on the CPU module to restrict accessible IP addresses to authorized hosts only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 27 or later for Safety CPU models (R08/16/32/120SFCPU)

HOTFIXUpdate firmware to version 12 or later for SIL2 Process CPU models (R08/16/32/120PSFCPU)

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MELSEC iQ-R series Safety CPU R08SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R16SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R32SFCPU Firmware: <=26, MELSEC iQ-R series Safety CPU R120SFCPU Firmware: <=26, MELSEC iQ-R series SIL2 Process CPU R16PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R32PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R120PSFCPU Firmware: <=11, MELSEC iQ-R series SIL2 Process CPU R08PSFCPU Firmware: <=11. Apply the following compensating controls:

HARDENINGIsolate MELSEC iQ-R series CPUs on a dedicated control network separated from corporate IT and untrusted networks

CVEs (1)

CVE-2021-20599

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f92933e7-0131-4003-9e7a-f57d269ce23d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.