Mitsubishi Electric MELSEC-F Series

Monitor7.5ICS-CERT ICSA-23-180-04Jun 29, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric MELSEC-F series programmable logic controllers (PLCs) contain an authentication bypass vulnerability. An attacker can send specially crafted packets to log in to the device without valid credentials. The vulnerability affects all versions of FX3GE, FX3U, FX3UC, FX3G, FX3GC, FX3GA, FX3S, and FX3SA series PLCs. No vendor fix is available for any affected product.

What this means

What could happen

An attacker could gain unauthorized access to MELSEC-F series PLCs and execute arbitrary commands, potentially altering process setpoints, disabling safety interlocks, or halting plant operations. This affects water treatment, power generation, and other critical infrastructure that relies on these controllers.

Who's at risk

Water authorities and municipal utilities operating power distribution or treatment systems that use Mitsubishi MELSEC-F series PLCs (FX3 family) for process control. This includes FX3GE, FX3U, FX3UC, FX3G, FX3GC, FX3GA, FX3S, and FX3SA controllers used in automated pump control, chemical dosing, power switching, and equipment sequencing.

How it could be exploited

An attacker on the network sends specially crafted packets to the PLC's network interface (remotely exploitable, no credentials required). Once authenticated, the attacker can issue commands directly to the PLC through the Mitsubishi communication protocol, allowing modification of logic, I/O states, or process parameters.

Prerequisites

Network reachability to the affected PLC (port 502 or Mitsubishi proprietary port, depending on protocol variant)
No valid credentials or prior authentication required

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure PLCs

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (16)

16 pending

ProductAffected VersionsFix Status

FX3GE-xMy/z x=24,40, y=T,R, z=ES,ESS,DS,DSS: *All versionsNo fix yet

FX3U-xMy/z x=16,32,48,64,80,128, y=T,R, z=ES,ESS,DS,DSS: *All versionsNo fix yet

FX3U-32MR/UA1, FX3U-64MR/UA1: *All versionsNo fix yet

FX3U-32MS/ES, FX3U-64MS/ES: *All versionsNo fix yet

FX3U-xMy/ES-A x=16,32,48,64,80,128, y=T,R: *All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/3

WORKAROUNDImplement firewall rules to restrict network access to the PLC from untrusted networks and hosts. Allow only engineering workstations and HMI systems on approved subnets to communicate with the PLC.

HARDENINGDeploy the affected PLCs on an isolated LAN segment (network segmentation) separate from corporate IT networks and the internet.

HARDENINGIf internet or remote access is required, use a VPN gateway with multi-factor authentication to control access to the OT network, ensuring all traffic is encrypted and logged.

Long-term hardening

0/1

HARDENINGRestrict physical access to affected PLCs and their network connections to authorized personnel only.

CVEs (1)

CVE-2023-2846

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b43721fb-fcbd-491e-8827-a26db2eb999e