Mitsubishi Electric MELSEC-F Series

Plan Patch7.5ICS-CERT ICSA-22-013-01Jan 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The FX3U-ENET, FX3U-ENET-L, and FX3U-ENET-P502 communication modules contain a vulnerability in their network message handling that can be triggered by a specially crafted packet. Exploitation causes a denial-of-service condition that disrupts the module's communication function, preventing data exchange with remote systems. Affected firmware versions are 1.14 and earlier.

What this means

What could happen

A successful attack could disable communication functions on the FX3U-ENET module, preventing the PLC from exchanging data with remote devices or control systems. This could stop remote process monitoring and control until the device recovers or is manually reset.

Who's at risk

Energy sector operators running Mitsubishi Electric MELSEC-F series programmable logic controllers (PLCs) with FX3U-ENET, FX3U-ENET-L, or FX3U-ENET-P502 Ethernet communication modules are affected. This includes power generation, distribution, and water/wastewater treatment facilities that rely on these modules for remote monitoring and control.

How it could be exploited

An attacker with network access to the FX3U-ENET module can send a specially crafted network packet that triggers a denial-of-service condition in the module's communication stack. The attacker does not need credentials or any special privileges—only the ability to reach the module's network interface.

Prerequisites

Network access to the FX3U-ENET module's Ethernet port
No authentication or special configuration required

remotely exploitableno authentication requiredlow complexity attackno patch available for older firmware versionsaffects process communication

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

FX3U-ENET Firmware:≤ 1.141.16 or later

FX3U-ENET-L Firmware:≤ 1.141.16 or later

FX3U-ENET-P502 Firmware:≤ 1.141.16 or later

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDConfigure firewall rules to restrict network access to FX3U-ENET modules from untrusted networks and hosts

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FX3U-ENET firmware to version 1.16 or later

HOTFIXUpdate FX3U-ENET-L firmware to version 1.16 or later

HOTFIXUpdate FX3U-ENET-P502 firmware to version 1.16 or later

Long-term hardening

0/2

HARDENINGDeploy the FX3U-ENET modules on isolated LANs separated from the corporate network and Internet

HARDENINGUse VPN or firewall to control access if Internet connectivity is required

CVEs (1)

CVE-2021-20612

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76b41a6d-ba89-45da-8307-53453f2ab9bf