Mitsubishi Electric MELSEC and MELIPC Series (Update G)

Monitor7.5ICS-CERT ICSA-21-334-02Nov 30, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Mitsubishi Electric MELSEC and MELIPC controllers contain input validation vulnerabilities (CWE-20, CWE-400, CWE-130) that allow remote denial-of-service attacks. A remote attacker with network access to the device can send a malformed packet that causes the controller to become unresponsive, requiring manual reset to restore function. Affected products include MELSEC Q Series (Q03/04/06/10/13/20/26/50/100UDEHCPU, Q03/04/06/13/26UDVCPU, Q04/06/13/26UDPVCPU, Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS, MR-MQ100, Q172/173DCPU-S1, Q172/173DSCPU, Q170MCPU, Q170MSCPU), MELSEC iQ-R Series (R00/01/02/04/08/16/32/120CPU, R08/16/32/120SFCPU, R08/16/32/120PCPU, R08/16/32/120PSFCPU, R16/32/64MTCPU, R12CCPU-V), MELSEC L Series (L02/06/26CPU, L26CPU-BT), and MELIPC MI5122-VW.

What this means

What could happen

An attacker with network access to a vulnerable Mitsubishi MELSEC or MELIPC controller can cause it to stop responding, forcing an emergency system reset and interrupting production or critical processes like power distribution or water treatment.

Who's at risk

Energy sector operators using Mitsubishi MELSEC Q and L series PLCs or MELIPC industrial PCs for critical control functions (power generation, distribution, substations, water/wastewater treatment, manufacturing). Affects both modern iQ-R series and legacy Q series controllers used in SCADA and process automation.

How it could be exploited

An attacker sends a specially crafted packet to the Ethernet port of the vulnerable PLC. The device fails to properly validate the input (CWE-20, CWE-400), processes it incorrectly, and becomes unresponsive. This triggers a denial-of-service condition requiring manual reset of the controller to restore operations.

Prerequisites

Network access to the PLC Ethernet port (port 502 or similar)
No authentication required
Device must be connected to a network reachable by the attacker

remotely exploitableno authentication requiredlow complexity attackno patch available for legacy Q and L seriesaffects critical infrastructurerequires manual system reset to recover

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (58)

58 pending

ProductAffected VersionsFix Status

MELSEC Q Series Q06UDPVCPU The first 5 digits of serial No.: <=23071≤ 23071No fix yet

MELSEC Q Series Q13UDPVCPU The first 5 digits of serial No.: <=23071≤ 23071No fix yet

MELSEC Q Series Q26UDPVCPU The first 5 digits of serial No.: <=23071≤ 23071No fix yet

MELSEC Q Series Q12DCCPU-V The first 5 digits of serial No.: <=24031≤ 24031No fix yet

MELSEC Q Series Q24DHCCPU-V(G) The first 5 digits of serial No.: <=24031≤ 24031No fix yet

Remediation & Mitigation

0/23

Do now

0/3

WORKAROUNDEnable IP filter function to block access from untrusted hosts

WORKAROUNDEnable remote password function to require authentication for network access

HARDENINGDeploy a firewall or restrict PLC network access to trusted hosts only

Schedule — requires maintenance window

0/18

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGIf internet access is required, use a VPN to route PLC communications through encrypted tunnel

HARDENINGIsolate all MELSEC/MELIPC controllers on a separate network segment from the business network

CVEs (3)

CVE-2021-20609 CVE-2021-20610 CVE-2021-20611

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close