Mitsubishi Electric MELSEC iQ-R Series/iQ-F Series (Update C)

Plan Patch7.5ICS-CERT ICSA-23-157-02Jun 6, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric EtherNet/IP network modules (RJ71EIP91, FX5-ENET/IP, SW1DNN-EIPCT-BD, SW1DNN-EIPCTFX5-BD) contain vulnerabilities in FTP authentication and access control. A remote attacker can bypass authentication and connect to the module via FTP without valid credentials, potentially accessing configuration data and module functions. The vulnerabilities include hardcoded credentials, insufficient input validation, and lack of proper access controls. RJ71EIP91 in firmware version 06 or later and FX5-ENET/IP in firmware version 1.106 or later support disabling FTP and restricting connections. Earlier firmware versions cannot be patched and must rely on network-level controls.

What this means

What could happen

An attacker could remotely log in to EtherNet/IP network modules without credentials via FTP, potentially gaining access to PLC configuration data and control functions. Depending on how the module is integrated into your system, this could enable changes to control logic or process parameters.

Who's at risk

Operators of Mitsubishi Electric MELSEC iQ-R and iQ-F series PLCs, specifically those using RJ71EIP91, FX5-ENET/IP, SW1DNN-EIPCT-BD, and SW1DNN-EIPCTFX5-BD modules for EtherNet/IP connectivity. This impacts water authorities, electric utilities, and manufacturing facilities in the energy sector relying on these modules for remote monitoring or control over IP networks.

How it could be exploited

An attacker on the network sends FTP connection requests to the module on its default port. Because FTP authentication is not properly enforced, the attacker can log in without valid credentials and access files on the module. From there, they could potentially retrieve configuration files or interfere with module operation.

Prerequisites

Network access to the EtherNet/IP module (typically port 21 for FTP)
Module must be reachable from an untrusted network segment
No network firewall rules blocking FTP access to the module

remotely exploitableno authentication requiredlow complexityno patch available for some productsaffects control system network modules

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

RJ71EIP91: vers:all/*All versions06

FX5-ENET/IP: vers:all/*All versions1.106

SW1DNN-EIPCT-BD: <=1.01B≤ 1.01BNo fix (EOL)

SW1DNN-EIPCTFX5-BD: <=1.01B≤ 1.01BNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDApply IP filtering rules to block FTP access from untrusted hosts to all affected modules

WORKAROUNDSet connection permissions to 'Deny connection' in the EtherNet/IP Configuration Tool for all modules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade RJ71EIP91 to firmware version 06 or later and disable FTP in the EtherNet/IP Configuration Tool

HOTFIXFor FX5-ENET/IP firmware version 1.106 or later, disable FTP in the EtherNet/IP Configuration Tool for FX5-ENET/IP except during maintenance

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SW1DNN-EIPCT-BD: <=1.01B, SW1DNN-EIPCTFX5-BD: <=1.01B. Apply the following compensating controls:

HARDENINGNetwork segment EtherNet/IP modules onto a restricted VLAN and control access via firewall rules

HARDENINGConsider replacing RJ71EIP91 with next-generation RJ71GN11-EIP (CC-Link IE TSN Plus Master/Local Module)

HARDENINGConsider replacing FX5-ENET/IP with next-generation FX5-EIP module

CVEs (4)

CVE-2023-2060 CVE-2023-2061 CVE-2023-2062 CVE-2023-2063

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d86dc13b-cc75-4666-a805-bc838dd3f901