Mitsubishi Electric MELSEC iQ-F Series
Plan PatchCVSS 8.6ICS-CERT ICSA-22-139-01May 19, 2022
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Mitsubishi Electric MELSEC iQ-F series programmable logic controllers (PLCs) contain an input validation flaw (CWE-20) in Ethernet communication. A remote attacker can send malformed packets to the device, causing a denial-of-service condition where the PLC stops responding. The vulnerability affects FX5U, FX5UC, FX5UJ, and FX5S model variants with specific firmware versions below indicated thresholds. This is a follow-up advisory with updated mitigation status: most models have available firmware patches, but FX5S and FX5UJ-ES-A variants require vendor contact for remediation.
What this means
What could happen
An attacker could send specially crafted network packets to a MELSEC iQ-F PLC, causing it to stop responding or crash, disrupting water treatment, power distribution, or other critical automated processes until the device is rebooted.
Who's at risk
This affects water utilities, electric utilities, and other critical infrastructure operators running Mitsubishi MELSEC iQ-F PLC models (FX5U, FX5UC, FX5UJ, and FX5S series). These are core automation controllers used in pumping stations, treatment processes, and distribution systems. Any organization using these models in production should assess their network architecture and prioritize patching or isolation.
How it could be exploited
An attacker with network access to the Ethernet port of the PLC sends malformed packets (invalid input data). The device lacks input validation, processes the malformed data, and crashes or becomes unresponsive. No authentication is required.
Prerequisites
- Network access to the PLC's Ethernet port (port 502 or other configured port)
- Device must be running vulnerable firmware version (see version thresholds in affected products list)
- No credentials or authentication required
Remotely exploitable over EthernetNo authentication requiredLow attack complexityCauses denial of service (device crash or unresponsiveness)No patch available for FX5S and some FX5UJ modelsAffects critical infrastructure with high uptime requirements
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (14)
1 with fix9 pending4 EOL
ProductAffected VersionsFix Status
MELSEC iQ-F FX5UC-32MT/DS-TS FX5UC-32MT/DSS-TS FX5UC-32MR/DS-TS: All< 1.270No fix yet
MELSEC iQ-F FX5UC-xMy/z x=326496 y=TR z=DDSS with Serial number 179**** and prior: All< 1.073No fix yet
MELSEC iQ-F FX5UC-xMy/z x=326496 y=TR z=DDSS with serial number 17X**** or later: All< 1.270No fix yet
MELSEC iQ-F FX5U-xMy/z x=326480 y=TR z=ESDSESSDSS with Serial number 179**** and prior: All< 1.073No fix yet
MELSEC iQ-F FX5U-xMy/z x=326480 y=TR z=ESDSESSDSS with serial number 17X**** or later: All< 1.270No fix yet
MELSEC iQ-F FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS with serial number 17X**** or later: All< 1.270No fix yet
MELSEC iQ-F FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS with Serial number 179**** and prior: All< 1.073No fix yet
MELSEC iQ-F FX5UC-xMy/z x=32,64,96, y=T,R, z=D,DSS with serial number 17X**** or later: All< 1.270No fix yet
Remediation & Mitigation
0/7
Do now
0/2WORKAROUNDDeploy a firewall or IP filter on the PLC's Ethernet interface to restrict connections to only authorized engineering workstations and SCADA/control systems; use Mitsubishi's IP Filter Function (refer to MELSEC iQ-F FX5 User's Manual section 12.1)
HARDENINGIf internet access to the PLC is required, place it behind a firewall or virtual private network (VPN) to prevent unauthorized external access
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate MELSEC iQ-F FX5U and FX5UC series with serial number 17X**** or later to firmware v1.270 or later
HOTFIXUpdate MELSEC iQ-F FX5U and FX5UC series with serial number 179**** and prior to firmware v1.073 or later
HOTFIXUpdate MELSEC iQ-F FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, and FX5UC-32MR/DS-TS to firmware v1.270 or later
HOTFIXUpdate MELSEC iQ-F FX5UJ series to firmware v1.030 or later
HOTFIXContact Mitsubishi Electric representative for fix availability for MELSEC iQ-F FX5UJ-xMy/ES-A and FX5S-xMy/z series
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8722db68-884b-4037-b574-ba3a6515f9d6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.