Mitsubishi Electric MELSEC Series CPU module (Update D)
Plan PatchCVSS 10ICS-CERT ICSA-23-143-03May 23, 2023
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability in Mitsubishi Electric MELSEC iQ-F and iQ-R Series CPU modules allows remote attackers to send specially crafted packets that cause a denial-of-service condition or execute arbitrary code on the PLC. The vulnerability affects multiple iQ-F Series models with firmware 1.220–1.281 and multiple iQ-R Series CPU variants with various firmware version ranges (R00/01/02: ≤35; R04/08/16/32/120(EN): 12–68; R08/16/32/120SFCPU: 26–31; R08/16/32/120PCPU: 3–37). No authentication is required for exploitation.
What this means
What could happen
An attacker could remotely crash or halt affected Mitsubishi Electric MELSEC PLC controllers, or execute arbitrary code to alter process logic and setpoints. This affects any automated control systems relying on these PLCs for critical operations like power distribution, water treatment, or manufacturing.
Who's at risk
Energy sector operators using Mitsubishi Electric MELSEC iQ-F or iQ-R series PLC controllers for power generation, distribution, or substations should assess whether their equipment is within the vulnerable firmware versions. This includes any water, wastewater, or manufacturing facility relying on these PLCs for process automation and real-time control.
How it could be exploited
An attacker on the network sends specially crafted packets to the PLC's Ethernet port (port 502 for MELSEC). The PLC processes the malformed packet without proper bounds checking, leading to a buffer overflow. This allows the attacker to crash the PLC or inject malicious control logic that runs on restart.
Prerequisites
- Network connectivity to the PLC Ethernet port (typically port 502)
- The affected firmware version must be running (iQ-F: 1.220–1.281; iQ-R R00/01/02: ≤35; iQ-R R04/08/16/32/120(EN): 12–68; iQ-R SFCPU: 26–31; iQ-R PCPU: 3–37)
Remotely exploitable over networkNo authentication requiredLow attack complexityCritical CVSS score (10.0)No firmware patch available for some MELSEC iQ-R SFCPU modelsAffects critical infrastructure control systemsBuffer overflow (CWE-120) enables both denial of service and code execution
Exploitability
Some exploitation risk — EPSS score 3.7%
Affected products (43)
16 with fix27 pending
ProductAffected VersionsFix Status
MELSEC iQ-F Series FX5U-80MT/DSS, Serial number 17X**** or later: >=1.220|<=1.281≥ 1.220|≤ 1.281No fix yet
MELSEC iQ-F Series FX5U-80MR/ES, Serial number 17X**** or later: >=1.220|<=1.281≥ 1.220|≤ 1.281No fix yet
MELSEC iQ-F Series FX5U-80MR/DS, Serial number 17X**** or later: >=1.220|<=1.281≥ 1.220|≤ 1.281No fix yet
MELSEC iQ-F Series FX5UC-32MT/D, Serial number 17X**** or later: >=1.220|<=1.281≥ 1.220|≤ 1.281No fix yet
MELSEC iQ-F Series FX5UC-32MT/DSS, Serial number 17X**** or later: >=1.220|<=1.281≥ 1.220|≤ 1.281No fix yet
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDEnable IP filter function on affected PLCs to block access from untrusted hosts and networks
HARDENINGDeploy firewall or VPN to restrict network access to PLC Ethernet ports; block all inbound traffic except from authorized engineering workstations and SCADA servers
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate MELSEC iQ-F Series to firmware version 1.290 or later
HOTFIXUpdate MELSEC iQ-R Series R00/01/02CPU to firmware version 36 or later
HOTFIXUpdate MELSEC iQ-R Series R04/08/16/32/120(EN)CPU to firmware version 69 or later
HOTFIXUpdate MELSEC iQ-R Series R08/16/32/120SFCPU to firmware version 32 or later
HOTFIXUpdate MELSEC iQ-R Series R08/16/32/120PCPU to firmware version 38 or later
Long-term hardening
0/1HARDENINGRestrict physical network access to LAN segments connected to affected MELSEC PLCs; use network segmentation to isolate control systems from corporate networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5bb7f98a-43cd-475d-a4fa-801df0c11c38Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.