Mitsubishi Electric MELSEC iQ-F, iQ-R Series
Monitor5.9ICS-CERT ICSA-23-017-02Jan 17, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in the firmware update function of MELSEC iQ-F and iQ-R series PLCs stems from insufficient entropy in random number generation (CWE-337). This allows an attacker with network access to potentially influence the firmware update process and manipulate PLC code or firmware. The vulnerability affects multiple FX5-series compact controllers (FX5U, FX5UC, FX5UJ, FX5S) and R-series CPU modules across several firmware versions. Exploitation requires high attack complexity and network-level access to intercept the update mechanism.
What this means
What could happen
An attacker with network access to a MELSEC PLC could exploit insufficient randomness in the firmware update process to manipulate program code or firmware, potentially altering control logic or stopping operations. The high attack complexity limits the practical risk, but successful exploitation could cause unintended process changes.
Who's at risk
Energy utilities and industrial facilities using Mitsubishi Electric MELSEC iQ-F and iQ-R series PLCs, specifically: FX5U/FX5UC/FX5UJ/FX5S controllers and R-series CPU modules. These are compact PLCs commonly used in distributed control systems for power distribution, water treatment, and manufacturing automation. Limited regional availability in some product variants.
How it could be exploited
An attacker with network reachability to the PLC's Ethernet port must intercept or predict the firmware update mechanism's random values during the update process. This requires network-level access and knowledge of the PLC's update protocol, making it difficult but not impossible if the attacker can position themselves on the network segment.
Prerequisites
- Network access to the PLC's Ethernet port (port 502 or equivalent Mitsubishi communication port)
- Ability to intercept or influence the firmware update process
- Physical or network proximity to perform cryptographic attacks on the random number generation
- Knowledge of the specific PLC model and firmware update protocol
Remotely exploitable over networkNo authentication required for network accessHigh attack complexity (requires crypto prediction)No patch available for all affected productsAffects industrial control logic
Exploitability
Moderate exploit probability (EPSS 2.2%)
Affected products (10)
1 with fix9 pending
ProductAffected VersionsFix Status
MELSEC iQ-F and iQ-R Series products: MELSEC iQ-F Series FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS:≤ 1.2801.281 or later
MELSEC iQ-F and iQ-R Series products: FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS:≤ 1.280No fix yet
MELSEC iQ-F and iQ-R Series products: FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS:≤ 1.074No fix yet
MELSEC iQ-F and iQ-R Series products: FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS:≤ 1.280No fix yet
MELSEC iQ-F and iQ-R Series products: FX5UC-xMy/z x=32,64,96 y=T, z=D,DSS:≤ 1.074No fix yet
MELSEC iQ-F and iQ-R Series products: FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,ESS:≤ 1.042No fix yet
MELSEC iQ-F and iQ-R Series products: FX5UJ-xMy/ES-A* x=24,40,60, y=T,R:≤ 1.043No fix yet
MELSEC iQ-F and iQ-R Series products: FX5S-xMy/z* x=30,40,60,80, y=T,R, z=ES,ESS:≤ 1.003No fix yet
Remediation & Mitigation
0/8
Do now
0/3WORKAROUNDEnable IP filter function on PLCs to block firmware update traffic from untrusted networks and hosts
HARDENINGDeploy firewall rules to restrict network access to PLC Ethernet ports from engineering workstations and authorized networks only
HARDENINGIf internet connectivity is required, use VPN to tunnel PLC management traffic
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate FX5U and FX5UC firmware to v1.281 (for serial 17X****) or v1.075 (for serial 179**** and prior)
HOTFIXUpdate FX5UJ firmware to v1.044 or later (standard) or v1.045 or later (ES-A variant)
HOTFIXUpdate FX5S firmware to v1.004 or later
HOTFIXUpdate MELSEC iQ-R R00/01/02CPU to version 34 or later
HOTFIXUpdate MELSEC iQ-R R04/08/16/32/120(EN)CPU to version 67 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cd08d78c-91f1-42d9-9d2c-2f93ab5e5376