Mitsubishi Electric MELSEC-Q/L and MELSEC iQ-R

Plan Patch8.1ICS-CERT ICSA-22-165-03Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Improper input validation in Mitsubishi Electric MELSEC-Q, MELSEC-L, and MELSEC iQ-R series PLCs allows an attacker to cause denial-of-service or execute remote code. The vulnerability affects MELSEC-Q Series QJ71E71-100 with serial numbers beginning 24061 and earlier, MELSEC-L Series LJ71E71-100 with serial numbers beginning 24061 and earlier, and MELSEC iQ-R Series RD81MES96N with firmware version 08 and earlier. High attack complexity; no known public exploits.

What this means

What could happen

An attacker could crash a PLC or run arbitrary commands, disrupting production processes, disabling safety interlocks, or modifying setpoints in water treatment or power generation operations.

Who's at risk

Water utilities and electric utilities with MELSEC-Q, MELSEC-L, or MELSEC iQ-R programmable logic controllers (PLCs) used in process control, especially older units with serial numbers beginning 24061 or firmware version 08. Any facility using these PLCs for critical operations (water treatment, power distribution) should assess their exposure.

How it could be exploited

An attacker needs network access to the PLC to send a specially crafted input that bypasses validation checks. Once the input is accepted, the attacker can trigger denial-of-service or inject code for remote execution on the device.

Prerequisites

Network reachability to the PLC on its communication port (typically Ethernet with Mitsubishi Industrial Protocol)
No authentication required

Remotely exploitableNo authentication requiredNo patch available for some products (MELSEC-L and MELSEC-Q with early serial numbers)Affects control systems with safety implicationsHigh CVSS score (8.1)

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

MELSEC iQ-R Series RD81MES96N: firmware≤ 08firmware Version 09 and later

MELSEC-Q Series QJ71E71-100: First five digits of serial number 24061 and prior≤ first five digits of serial number 24061 24061Serial number 24062 and later

MELSEC-L Series LJ71E71-100: First five digits of serial number 24061 and prior≤ first five digits of serial number 24061Serial number 24062 and later

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDeploy firewall rules to restrict network access to PLCs from untrusted networks and hosts

WORKAROUNDUse a VPN or web application firewall to control external access if Internet connectivity is required

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC-Q Series QJ71E71-100 to serial numbers beginning 24062 or later

HOTFIXUpdate MELSEC-L Series LJ71E71-100 to serial numbers beginning 24062 or later

HOTFIXUpdate MELSEC iQ-R Series RD81MES96N to firmware version 09 or later

Long-term hardening

0/1

HARDENINGIsolate PLCs on a separate LAN segment; block all inbound access from corporate networks and the Internet

CVEs (1)

CVE-2022-25163

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6bfef329-7b59-4ed4-8eb5-30d50e7d59ab