Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series (Update C)

Monitor7.5ICS-CERT ICSA-22-172-01Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Mitsubishi Electric MELSEC iQ-R, Q, L series and MELIPC series PLCs allows a remote attacker to send a specially crafted Ethernet packet that causes a denial-of-service condition. When exploited, the affected PLC becomes unresponsive to all Ethernet communication and must be manually restarted to restore functionality. The vulnerability is triggered during the Ethernet communication protocol handling and does not require authentication or special configuration. MELSEC iQ-R Series R12CCPU-V firmware versions 16 and earlier are affected. MELSEC Q Series (multiple models) with serial numbers prior to 24062 or 24052 depending on model are affected. MELSEC L Series (L02CPU, L06CPU, L26CPU variants) with serial numbers prior to 24052 are affected. MELIPC MI5122-VW firmware versions 05 and earlier are affected.

What this means

What could happen

An attacker can send specially crafted Ethernet packets to a MELSEC or MELIPC PLC, causing it to stop responding to network communication. The PLC must be manually restarted to restore operation, potentially interrupting production or critical infrastructure control.

Who's at risk

Water and electric utilities operating Mitsubishi MELSEC or MELIPC programmable logic controllers (PLCs). Specifically: MELSEC iQ-R R12CCPU-V, MELSEC Q series (Q03/Q04/Q06/Q10/Q13/Q20/Q26/Q50/Q100 UDECPU, Q03/Q04/Q06/Q13/Q26 UDVCPU, Q04/Q06/Q13/Q26 UDPVCPU, Q12DCCPU-V, Q24DHCCPU variants, Q26DHCCPU-LS), MELSEC L series (L02/L06/L26 CPU variants), and MELIPC MI5122-VW. These devices control pumps, motors, valves, and other critical equipment in water treatment and power distribution systems.

How it could be exploited

An attacker with network access to the Ethernet port of a vulnerable MELSEC iQ-R, Q, or L series PLC, or MELIPC series CPU, sends a malformed packet that triggers a denial-of-service condition. No authentication is required. The PLC ceases all Ethernet communication until manually rebooted.

Prerequisites

Network access to the Ethernet port of the PLC (port 502 or other configured Modbus TCP port)
No credentials or authentication required

Remotely exploitable via Ethernet networkNo authentication requiredLow attack complexityNo patch available for majority of products (Q, L, and MELIPC series)Denial of service to critical control systemsAffects industrial control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (28)

28 pending

ProductAffected VersionsFix Status

MELSEC iQ-R Series R12CCPU-V CPU Firmware: <=16≤ 16No fix yet

MELSEC Q Series Q03UDECPU: <=with_the_first_5_digits_of_serial_number_24061≤ with the first 5 digits of serial number 24061No fix yet

MELSEC Q Series Q04UDECPU: <=with_the_first_5_digits_of_serial_number_24061≤ with the first 5 digits of serial number 24061No fix yet

MELSEC Q Series Q06UDECPU: <=with_the_first_5_digits_of_serial_number_24061≤ with the first 5 digits of serial number 24061No fix yet

MELSEC Q Series Q10UDECPU: <=with_the_first_5_digits_of_serial_number_24061≤ with the first 5 digits of serial number 24061No fix yet

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGFor MELSEC Q Series, L Series, or MELIPC Series systems where firmware update is not possible: Implement network segmentation to restrict unauthorized access to the PLC Ethernet port. Allow only known engineering workstations and HMI systems to communicate with the PLC.

HARDENINGFor MELSEC iQ-R Series firmware v08 or earlier (cannot be updated to v17): Implement network segmentation and firewall rules to restrict Ethernet communication to the PLC to only authorized sources.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf using MELSEC iQ-R Series firmware v09 or later, download and install fixed firmware v17 or later from Mitsubishi. Coordinate with your controls vendor to schedule the firmware update during a maintenance window to avoid production interruption.

Long-term hardening

0/1

HARDENINGConsider a long-term migration plan from MELSEC Q and L series to MELSEC iQ-R series, as Q and L series cannot be patched and will remain at risk.

CVEs (1)

CVE-2022-24946

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a972b06-31d6-4b89-a75b-c98d31788fcd