Mitsubishi Electric MELSEC iQ-F, iQ-R Series

MonitorCVSS 5.9ICS-CERT ICSA-23-017-02Jan 17, 2023

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in the firmware update function of MELSEC iQ-F and iQ-R series PLCs stems from insufficient entropy in random number generation (CWE-337). This allows an attacker with network access to potentially influence the firmware update process and manipulate PLC code or firmware. The vulnerability affects multiple FX5-series compact controllers (FX5U, FX5UC, FX5UJ, FX5S) and R-series CPU modules across several firmware versions. Exploitation requires high attack complexity and network-level access to intercept the update mechanism.

What this means

What could happen

An attacker with network access to a MELSEC PLC could exploit insufficient randomness in the firmware update process to manipulate program code or firmware, potentially altering control logic or stopping operations. The high attack complexity limits the practical risk, but successful exploitation could cause unintended process changes.

Who's at risk

Energy utilities and industrial facilities using Mitsubishi Electric MELSEC iQ-F and iQ-R series PLCs, specifically: FX5U/FX5UC/FX5UJ/FX5S controllers and R-series CPU modules. These are compact PLCs commonly used in distributed control systems for power distribution, water treatment, and manufacturing automation. Limited regional availability in some product variants.

How it could be exploited

An attacker with network reachability to the PLC's Ethernet port must intercept or predict the firmware update mechanism's random values during the update process. This requires network-level access and knowledge of the PLC's update protocol, making it difficult but not impossible if the attacker can position themselves on the network segment.

Prerequisites

Network access to the PLC's Ethernet port (port 502 or equivalent Mitsubishi communication port)
Ability to intercept or influence the firmware update process
Physical or network proximity to perform cryptographic attacks on the random number generation
Knowledge of the specific PLC model and firmware update protocol

Remotely exploitable over networkNo authentication required for network accessHigh attack complexity (requires crypto prediction)No patch available for all affected productsAffects industrial control logic

Exploitability

Some exploitation risk — EPSS score 2.2%

Affected products (10)

1 with fix9 pending

ProductAffected VersionsFix Status

MELSEC iQ-F and iQ-R Series products: MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS:≤ 1.2801.281+

MELSEC iQ-F and iQ-R Series products: FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS:≤ 1.280No fix yet

MELSEC iQ-F and iQ-R Series products: FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS:≤ 1.074No fix yet

MELSEC iQ-F and iQ-R Series products: FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS:≤ 1.280No fix yet

MELSEC iQ-F and iQ-R Series products: FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS:≤ 1.074No fix yet

MELSEC iQ-F and iQ-R Series products: FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,ESS:≤ 1.042No fix yet

MELSEC iQ-F and iQ-R Series products: FX5UJ-xMy/ES-A* x=24,40,60, y=T,R:≤ 1.043No fix yet

MELSEC iQ-F and iQ-R Series products: FX5S-xMy/z* x=30,40,60,80, y=T,R, z=ES,ESS:≤ 1.003No fix yet

Remediation & Mitigation

0/8

Do now

0/3

WORKAROUNDEnable IP filter function on PLCs to block firmware update traffic from untrusted networks and hosts

HARDENINGDeploy firewall rules to restrict network access to PLC Ethernet ports from engineering workstations and authorized networks only

HARDENINGIf internet connectivity is required, use VPN to tunnel PLC management traffic

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FX5U and FX5UC firmware to v1.281 (for serial 17X****) or v1.075 (for serial 179**** and prior)

HOTFIXUpdate FX5UJ firmware to v1.044 or later (standard) or v1.045 or later (ES-A variant)

HOTFIXUpdate FX5S firmware to v1.004 or later

HOTFIXUpdate MELSEC iQ-R R00/01/02CPU to version 34 or later

HOTFIXUpdate MELSEC iQ-R R04/08/16/32/120(EN)CPU to version 67 or later

CVEs (1)

CVE-2022-40267

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cd08d78c-91f1-42d9-9d2c-2f93ab5e5376

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.