Mitsubishi Electric FA Products

Monitor7.4ICS-CERT ICSA-22-090-04Mar 31, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Mitsubishi Electric MELSEC L, Q, iQ-F, and iQ-R series PLCs contain multiple vulnerabilities in authentication and protocol implementation (CWE-836, CWE-328, CWE-312, CWE-294) that allow an unauthenticated attacker on the network to log in to the affected products and read or modify sensitive control data. No public exploits are known, and exploitation requires high attack complexity. All versions of the listed products are affected.

What this means

What could happen

An attacker with network access to these PLCs could log in without proper authentication or intercept and modify sensitive engineering data, potentially allowing them to alter control setpoints, steal process configurations, or disrupt manufacturing/utility operations.

Who's at risk

Energy utilities and manufacturers using Mitsubishi Electric MELSEC L, Q, iQ-F, and iQ-R series PLCs for power distribution control, motor drives, and process automation. Specific affected equipment includes CPU modules (L-series, Q-series, FX5U/FX5UJ, iQ-R series) and Ethernet communication interface modules used in substations, generation facilities, and industrial plants.

How it could be exploited

An attacker on the network (or via the internet if the PLC is exposed) sends crafted authentication or communication packets to the Mitsubishi PLC's Ethernet port. Due to weak credential or protocol implementation, the attacker bypasses authentication and gains access to the PLC's command interface, or intercepts unencrypted communication to read or modify process data.

Prerequisites

Network connectivity to the PLC's Ethernet port (port 502 for MELSEC or port 3000-3100 for Ethernet modules)
No VPN or encryption in use for PLC communication
Firewall or IP filter not configured to restrict PLC access

Remotely exploitableNo authentication requiredNo patch available (end-of-life or vendor not patching)Affects control of critical infrastructure equipmentHigh impact (confidentiality and integrity)Widespread product line affected

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (26)

26 EOL

ProductAffected VersionsFix Status

MELSEC L series LJ71E71-100: All versionsAll versionsNo fix (EOL)

MELSEC L series LJ72GF15-T2: All versionsAll versionsNo fix (EOL)

MELSEC Q series Q03UDECPU Q04/06/10/13/20/26/50/100UDEHCPU: All versionsAll versionsNo fix (EOL)

MELSEC Q series Q04/06/13/26UDPVCPU: All versionsAll versionsNo fix (EOL)

MELSEC iQ-F Series FX5U(C) CPU modules All models: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGEnable and configure IP filter function on the PLC to restrict inbound connections to trusted engineering workstations and SCADA servers only

HARDENINGDeploy a VPN or encrypted tunnel for all remote engineering and maintenance access to the PLC

HARDENINGPosition firewalls (network or host-based) to block unauthorized access to PLC Ethernet ports from untrusted networks and the internet

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: MELSEC L series LJ71E71-100: All versions, MELSEC L series LJ72GF15-T2: All versions, MELSEC Q series Q03UDECPU Q04/06/10/13/20/26/50/100UDEHCPU: All versions, MELSEC Q series Q04/06/13/26UDPVCPU: All versions, MELSEC iQ-F Series FX5U(C) CPU modules All models: All versions, MELSEC iQ-F Series FX5UJ CPU modules All models: All versions, MELSEC iQ-R series 04/08/16/32/120(EN)CPU: All versions, MELSEC iQ-R series J71GN11-EIP: All versions, MELSEC iQ-R series R00/01/02CPU: All versions, MELSEC iQ-R series R08/16/32/120PCPU: All versions, MELSEC iQ-R series R08/16/32/120PSFCPU: All versions, MELSEC iQ-R series R08/16/32/120SFCPU: All versions, MELSEC iQ-R series R16/32/64MTCPU: All versions, MELSEC iQ-R series RJ71C24(-R2/R4): All versions, MELSEC iQ-R series RJ71EN71: All versions, MELSEC iQ-R series RJ71GF11-T2: All versions, MELSEC iQ-R series RJ71GN11-T2: All versions, MELSEC iQ-R series RJ71GP21(S)-SX: All versions, MELSEC iQ-R series RJ72GF15-T2: All versions, MELSEC L series L02/06/26CPU(-P) L26CPU-(P)BT: All versions, MELSEC Q series QJ71C24N(-R2/R4): All versions, MELSEC Q series QJ71E71-100: All versions, MELSEC Q series QJ72BR15: All versions, MELSEC Q series QJ72LP25(-25/G/GE): All versions, MELSEC L series LJ71C24(-R2): All versions, MELSEC Q series Q03/04/06/13/26UDVCPU: All versions. Apply the following compensating controls:

HARDENINGMonitor Mitsubishi Electric security advisories for future patches and firmware updates

CVEs (6)

CVE-2022-25155 CVE-2022-25156 CVE-2022-25157 CVE-2022-25158 CVE-2022-25159 CVE-2022-25160

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/979a33ec-11b6-438a-8716-8b73ead4be01