Mitsubishi Electric MELSEC iQ-R, iQ-L Series and MELIPC Series (Update E)

Plan Patch7.5ICS-CERT ICSA-22-356-03Dec 22, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC iQ-R, MELSEC iQ-L, and MELIPC series PLC modules. An attacker can send a specially crafted network packet to the module's ethernet port, causing the ethernet communication to fail and the module to become unreachable. This affects PLC controllers used in power generation, distribution, and industrial automation. Many product variants have no fix available and cannot be updated, requiring network-level mitigation instead.

What this means

What could happen

An attacker with network access to these PLC modules could trigger a denial-of-service condition that crashes ethernet communication, halting remote monitoring and control of critical industrial processes.

Who's at risk

Operators of power generation, distribution, and industrial automation facilities using Mitsubishi Electric MELSEC iQ-R, MELSEC iQ-L, or MELIPC series PLC modules should assess whether they have any of these affected controllers. This is particularly critical if any of these modules are reachable from corporate networks or the internet.

How it could be exploited

An attacker sends a crafted network packet to the ethernet port of a vulnerable MELSEC or MELIPC PLC module. The module fails to properly handle the malformed packet, causing its ethernet communication to fail and the device to become unreachable from the network.

Prerequisites

Network access to the PLC module's ethernet port (port 502 or management port)
No authentication required
PLC module running vulnerable firmware version

Remotely exploitableNo authentication requiredLow complexity exploitationNo patch available for many product variantsAffects critical control systems in energy sector

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (22)

22 with fix

ProductAffected VersionsFix Status

MELSEC iQ-R Series R00CPU: <=firmware_32≤ firmware 32firmware 33 or later

MELSEC iQ-R Series R02CPU: <=firmware_32≤ firmware 32firmware 33 or later

MELSEC iQ-R Series R04(EN)CPU: <=firmware_65≤ firmware 65firmware 66 or later

MELSEC iQ-R Series R08(EN)CPU: <=firmware_65≤ firmware 65firmware 66 or later

MELSEC iQ-R Series R16(EN)CPU: <=firmware_65≤ firmware 65firmware 66 or later

Remediation & Mitigation

0/10

Do now

0/2

WORKAROUNDFor non-updatable products, apply IP filter rules to block access from untrusted networks and hosts to the PLC module's ethernet ports

HARDENINGUse a firewall or VPN to restrict unauthorized network access to these PLC modules from outside your local network

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC iQ-R R00/R01/R02CPU modules to firmware version 33 or later

HOTFIXUpdate MELSEC iQ-R R04/R08/R16/R32/R120(EN)CPU modules to firmware version 66 or later

HOTFIXUpdate MELSEC iQ-R R08/R16/R32/R120SFCPU modules to firmware version 30 or later

HOTFIXUpdate MELSEC iQ-R R08/R16/R32/R120PSFCPU modules to firmware version 09 or later

HOTFIXUpdate MELSEC iQ-R R12CCPU-V module to firmware version 18 or later

HOTFIXUpdate MELSEC iQ-L L04/L08/L16/L32HCPU modules to firmware version 06 or later

HOTFIXUpdate MELIPC MI5122-VW module to firmware version 08 or later

Long-term hardening

0/1

HARDENINGPlace PLC modules on an isolated segment of your local area network and configure network access controls to block untrusted hosts

CVEs (1)

CVE-2022-33324

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close