OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC-Q Series C Controller Module

Act Now9ICS-CERT ICSA-22-102-02Apr 12, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A buffer overflow vulnerability exists in Mitsubishi Electric MELSEC-Q Series C Controller Module Q12DCCPU-V. The module processes network packets in a way that allows a remote attacker to cause a denial-of-service condition or execute arbitrary code. The vulnerability is present in modules with first 5 digits of serial number 24031 and prior. Successful exploitation could alter process control logic or halt operations. The attack requires high complexity and network connectivity but no authentication.

What this means
What could happen
An attacker with network access could halt production on a Mitsubishi Electric PLC controller, or run commands on it to manipulate control logic and setpoints. This affects the availability and integrity of any industrial process controlled by the Q12DCCPU-V module.
Who's at risk
Energy sector operators using Mitsubishi Electric MELSEC-Q Series C Controller Module (model Q12DCCPU-V) with serial numbers beginning 24031 or earlier. This affects any facility using these PLCs to control power generation, distribution, or critical industrial processes.
How it could be exploited
An attacker on the network sends specially crafted packets to the PLC via the DHCP or network interfaces. If the controller is in Extended mode with DHCP enabled, the attack is simpler. The attacker gains code execution or crashes the controller, disrupting the process it controls.
Prerequisites
  • Network access to the PLC on the same network segment or routed path
  • DHCP function enabled in Extended mode (increases exploitability but not strictly required)
  • High attack complexity—the attacker must craft malformed packets or exploit a specific buffer overflow condition
Remotely exploitable over networkCritical severity (CVSS 9.0)No vendor fix available for affected serial numbersAffects safety and availability of industrial control processesHigh impact (remote code execution or denial of service)
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (1)
ProductAffected VersionsFix Status
Module Q12DCCPU-V: First 5 digits of serial number 24031 and prior5 digits of serial number ≤ 24031Serial number 24032 or later
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDDisable the DHCP function in Security Settings of the C language controller settings/monitor tool if DHCP is not required.
HARDENINGDeploy a firewall rule to restrict network access to the PLC to only required engineering workstations and SCADA servers. Block unsolicited inbound connections to the controller.
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXReplace the Q12DCCPU-V module with a unit having first 5 digits of serial number 24032 or later, or contact Mitsubishi Electric for firmware update availability.
HOTFIXUpdate the DHCP server on your network to the latest version.
Long-term hardening
0/1
HARDENINGIsolate the PLC on a separate VLAN or network segment, away from office IT networks and the Internet.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/67486594-1821-4009-bcbf-42cae0ec8db4
Mitsubishi Electric MELSEC-Q Series C Controller Module | CVSS 9 - OTPulse