Mitsubishi Electric MELSOFT iQ AppPortal

Act Now9.8ICS-CERT ICSA-22-132-02May 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

MELSOFT iQ AppPortal versions 1.00A through 1.26C contain multiple vulnerabilities including memory corruption (CWE-787, CWE-120), null pointer dereference (CWE-476), authentication bypass (CWE-862), and infinite loops (CWE-835) that allow unauthenticated remote code execution, denial of service, information disclosure, and authentication bypass. Successful exploitation could allow an attacker to execute arbitrary code, modify project files, or crash the application on affected workstations.

What this means

What could happen

An attacker could exploit multiple vulnerabilities in MELSOFT iQ AppPortal to execute arbitrary code, bypass authentication, or disrupt operations on engineering workstations, potentially allowing them to modify PLC programs, alter setpoints, or stop production.

Who's at risk

This affects energy utilities and manufacturing plants that use Mitsubishi Electric MELSOFT iQ AppPortal for PLC programming and industrial automation. The risk is highest for facilities that have these engineering workstations connected to networked environments where they could be accessed by untrusted users or from the internet.

How it could be exploited

An attacker with network access to a workstation running MELSOFT iQ AppPortal could send specially crafted requests to exploit memory corruption and authentication bypass vulnerabilities. The attacker could then execute arbitrary code with the privileges of the AppPortal application, gaining the ability to modify or delete project files, insert malicious ladder logic, or cause the application to crash.

Prerequisites

Network access to the workstation running MELSOFT iQ AppPortal on a reachable port
No authentication required; vulnerabilities in network-facing components allow unauthenticated exploitation

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (87.1%)Multiple vulnerability types (memory corruption, buffer overflow, denial of service)Affects engineering software that controls industrial processes

Exploitability

High exploit probability (EPSS 87.1%)

Affected products (1)

ProductAffected VersionsFix Status

MELSOFT iQ AppPortal (SW1DND-IQAPL-M):≥ 1.00A | ≤ 1.26C1.29F or later

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to workstations running this product to trusted networks or hosts only via firewall rules

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSOFT iQ AppPortal to version 1.29F or later

Long-term hardening

0/3

HARDENINGRun the application and user accounts with minimal required privileges, not as administrator

HARDENINGInstall and maintain current antivirus software on all workstations running this product

HARDENINGIsolate engineering workstations running MELSOFT iQ AppPortal from the internet and general business network using a separate engineering network

CVEs (8)

CVE-2020-13938 CVE-2021-26691 CVE-2021-34798 CVE-2021-3711 CVE-2021-44790 CVE-2022-22720 CVE-2022-23943 CVE-2022-0778

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/858fa82e-991b-4177-b1f8-e2c3504ed4a4