Mitsubishi Electric MELSEC iQ-F Series
Monitor7.5ICS-CERT ICSA-23-061-01Mar 2, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
FX5U(C), FX5UJ, and FX5S CPU modules, as well as FX5-ENET and FX5-ENET/IP network modules, store plaintext credentials in project files. An unauthenticated attacker who obtains a project file could extract FTP server or web server credentials and gain unauthorized access to the device's file transfer or management interfaces.
What this means
What could happen
An attacker with access to unencrypted project files could extract hardcoded FTP or web server credentials and gain unauthorized administrative access to your programmable controllers, potentially allowing them to modify program logic or read sensitive configuration data.
Who's at risk
Energy sector operators using Mitsubishi Electric FX5 series programmable logic controllers (PLCs)—including FX5U(C), FX5UJ, FX5S CPU modules and FX5-ENET/FX5-ENET/IP network interface modules—need to protect project files and restrict network access to embedded FTP and web servers on these controllers.
How it could be exploited
An attacker obtains a Mitsubishi Electric project file (through email, shared storage, or network interception). The project file contains plaintext FTP or web server credentials embedded in it. The attacker extracts these credentials and uses them to connect to the FTP or web management interface on the affected CPU or network module, gaining unauthorized access.
Prerequisites
- Access to an unencrypted Mitsubishi Electric project file (GX Works2/GX Works3 file)
- Knowledge of the FTP or web server listening on the target CPU module
- Network access to port 21 (FTP) or port 80/443 (web server) on the affected device
No patch availableplaintext credential storageaffects critical industrial automation equipmentcredentials embedded in project filesaffects common water utility and electric utility PLC controllers
Exploitability
Moderate exploit probability (EPSS 1.9%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
All models of FX5U(C) CPU modules: *All versionsNo fix (EOL)
All models of FX5UJ CPU modules: *All versionsNo fix (EOL)
All models FX5S CPU modules: *All versionsNo fix (EOL)
FX5-ENET: *All versionsNo fix (EOL)
FX5-ENET/IP: *All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/3WORKAROUNDEncrypt all Mitsubishi Electric project files before storing, transmitting, or sharing them
HARDENINGImplement firewall rules to block inbound access to FTP (port 21) and web server ports (80, 443) on CPU modules from untrusted networks or the internet
HARDENINGUse a VPN for any remote access to Mitsubishi Electric devices requiring project file transfer or management
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGConfigure the IP filter function on FX5-ENET and FX5-ENET/IP modules to restrict access from unauthorized hosts
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: All models of FX5U(C) CPU modules: *, All models of FX5UJ CPU modules: *, All models FX5S CPU modules: *, FX5-ENET: *, FX5-ENET/IP: *. Apply the following compensating controls:
HARDENINGRestrict Mitsubishi Electric CPU modules to operation within a local area network (LAN) only; prevent internet-facing exposure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f8806304-38ea-47e4-8c84-9e7974e19f9b