Mitsubishi Electric MELSEC iQ-F/iQ-R Series CPU Module (Update A)
Monitor5.3ICS-CERT ICSA-23-306-02Nov 2, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The Mitsubishi Electric MELSEC iQ-F and iQ-R series CPU modules contain a weak rate limiting vulnerability in the web server login function. An attacker can perform repeated login attempts without restriction, exhausting the web server's capacity and denying service to legitimate users attempting to access the web interface. This prevents remote management, monitoring, and diagnostics of the PLC for the duration of the attack.
What this means
What could happen
An attacker can flood the web server function with requests, locking out legitimate engineering staff from remotely managing or monitoring the PLC via the web interface. This denial-of-service condition persists as long as the attack continues, potentially preventing timely response to operational issues.
Who's at risk
Energy utilities operating Mitsubishi Electric FX5U, FX5UC, FX5UJ, FX5S, and R-series CPU modules for process automation, power distribution control, or monitoring. This affects any site that relies on the web server interface for remote engineering access or diagnostics.
How it could be exploited
An attacker with network access to the PLC's Ethernet port (typically the web server interface on port 80 or 443) can send a series of login attempts without valid credentials. The device does not implement rate limiting or account lockout protections, allowing the attacker to exhaust the web server's resources and prevent legitimate users from authenticating.
Prerequisites
- Network connectivity to the PLC's Ethernet interface (TCP port 80 or 443)
- No authentication required to initiate the attack
- The web server function must be enabled on the PLC
Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects engineering access and process visibility
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (11)
8 pending3 EOL
ProductAffected VersionsFix Status
FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 17X**** and later): vers:all/*All versionsNo fix yet
FX5U-xMy/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS (Serial number 179**** and prior): >=1.060≥ 1.060No fix yet
FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 17X**** and later): vers:all/*All versionsNo fix yet
FX5UC-xMy/z x=32,64,96, y=T, z=D,DSS (Serial number 179**** and prior): >=1.060≥ 1.060No fix yet
FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: vers:all/*All versionsNo fix yet
FX5UJ-xMy/z x=24,40,60, y=T,R, z=ES,DS,ESS,DSS: vers:all/*All versionsNo fix yet
FX5UJ-xMy/ES-A* x=24,40,60, y=T,R: vers:all/*All versionsNo fix yet
FX5S-xMy/z x=30,40,60,80*, y=T,R, z=ES,ESS: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDDeploy a firewall rule to restrict access to the PLC's web interface (port 80/443) to known engineering workstations only
HARDENINGConfigure the IP filter function on the PLC to allow login attempts only from trusted internal networks and block external hosts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGUse a VPN to protect remote access to the PLC if internet connectivity is required
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: R00/01/02CPU: >=05, R04/08/16/32/120(EN)CPU: >=35, R08/16/32/120/PCPU: >=37. Apply the following compensating controls:
HARDENINGRestrict physical access to the PLC and network segments where it is connected
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f5e34743-1c82-4510-9c24-033a784ddafd