Mitsubishi Electric MELSEC-F Series
Act Now9.1ICS-CERT ICSA-23-285-13Oct 12, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Mitsubishi Electric MELSEC-F series programmable logic controllers (PLCs) contain an authentication bypass vulnerability affecting all versions of multiple FX series models. A remote attacker without credentials can read sequence programs from the device, upload malicious programs, or write improper data to the device. The vulnerability exists across FX3SA, FX3U, FX3UC, FX3G, FX3GC, FX3GE, FX3GA, and FX3S series PLCs with various I/O configurations.
What this means
What could happen
An attacker could read your PLC programs to understand plant operations, upload malicious programs to alter setpoints or stop processes, or corrupt system data—all without needing valid credentials. This could disrupt water treatment, pumping operations, or power distribution depending on what the PLC controls.
Who's at risk
Water utilities and municipal electric systems using Mitsubishi Electric MELSEC-F series PLCs for critical operations are affected. These devices are commonly used in pump stations, treatment processes, switchyards, and automated substations. All versions of the affected FX-series PLCs have no available patch, making this a long-term risk for any organization operating these devices.
How it could be exploited
An attacker with network reachability to the PLC (typically port 502 or proprietary Mitsubishi ports) can send unauthenticated commands to extract program code, write new programs, or modify device data. No user interaction or valid credentials are required. The attack can occur from the internet if the device is exposed or from an internal network if an attacker gains initial access.
Prerequisites
- Network reachability to the PLC (wired or wireless LAN access)
- No valid credentials or authentication required
- Access to Mitsubishi MELSEC communication protocol or tools (e.g., GX Works2 engineering software, or raw protocol packets)
Remotely exploitableNo authentication requiredLow complexity attackNo vendor patch availableAffects multiple PLC families in wide useCould impact safety systems if PLCs control critical interlocks or alarms
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (16)
16 pending
ProductAffected VersionsFix Status
MELSEC-F FX3SA-xMy-CM x=10,14,20,30, y=T,R: vers:all/*All versionsNo fix yet
MELSEC-F series FX3U-xMy/z x=16,32,48,64,80,128, y=T,R, z=ES,ESS,DS,DSS: vers:all/*All versionsNo fix yet
MELSEC-F series FX3U-32MR/UA1, FX3U-64MR/UA1: vers:all/*All versionsNo fix yet
MELSEC-F FX3U-32MS/ES, FX3U-64MS/ES: vers:all/*All versionsNo fix yet
MELSEC-F FX3U-xMy/ES-A x=16,32,48,64,80,128, y=T,R: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/3WORKAROUNDImplement a firewall to block unauthorized network access to the PLC. Restrict inbound traffic to only trusted engineering workstations and control systems on specific ports used by MELSEC devices.
HARDENINGRestrict physical access to the PLC and the local area network it connects to. Limit who can plug devices into the network segment containing the PLC.
HARDENINGUse a VPN or dedicated secure channel if remote engineering access is required. Never expose MELSEC PLCs directly to the internet or untrusted networks.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGSegment the PLC onto an isolated control network. Prevent direct communication between the PLC network and corporate IT networks using network boundaries (DMZ, separate VLANs, industrial firewalls).
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/071ac094-f236-4cad-a9de-5cbd9958a15c