Mitsubishi Electric FA products (Update A)

Plan PatchCVSS 10ICS-CERT ICSA-23-306-03Nov 2, 2023

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric FA products—including MELSEC-F series (FX3G, FX3U, FX3S, FX3UC, FX3SA, FX3GA, FX3GE, FX3GC), MELSEC iQ-F series (FX5U, FX5UC, FX5UJ, FX5S, FX5 SSC), MELSEC iQ-R series, MELSEC iQ-L series, MELSEC Q series CPUs and motion modules, and Mitsubishi CNC controllers (M800V/M80V and M800/M80/E80 series)—contain an input validation vulnerability (CWE-306) that allows an unauthenticated remote attacker to send specially crafted network packets and execute arbitrary commands on the PLC or CNC controller. All versions of each model are affected. The vulnerability requires only network access to the controller's Ethernet interface and carries a CVSS score of 10.0 (critical) with complete impact on confidentiality, integrity, and availability. No vendor firmware patch is available for any affected product.

What this means

What could happen

An attacker who reaches a MELSEC or Mitsubishi CNC controller over the network can execute arbitrary commands on the device, potentially altering machine control logic, process setpoints, or halting production operations.

Who's at risk

All organizations operating Mitsubishi Electric MELSEC-F series (FX3G, FX3U, FX3S, FX3UC, FX3SA, FX3GA, FX3GE, FX3GC variants), MELSEC iQ-F series (FX5U, FX5UC, FX5UJ, FX5S, FX5 Smart Controllers), MELSEC iQ-R series, MELSEC iQ-L series, MELSEC Q series PLCs, and Mitsubishi CNC controllers (M800V, M80V, M800, M80, E80, M700V, M70V, E70 series) should care about this vulnerability. This affects discrete manufacturing, machine builders, packaging, automotive suppliers, and any facility relying on these legacy or current-generation Mitsubishi controls for production automation.

How it could be exploited

An attacker sends specific packets to the network port (typically Ethernet) of a vulnerable MELSEC PLC or CNC controller. The device lacks proper input validation and authentication, allowing the attacker to inject commands that execute with the privileges of the controller. No credentials are required.

Prerequisites

Network access to the Ethernet port of the PLC or CNC controller
Device must be reachable from attacker's network segment
No authentication required

Remotely exploitable over networkNo authentication requiredLow complexity to exploitNo patch available for any affected productAffects industrial control and machine automation systems

Exploitability

Unlikely to be exploited — EPSS score 0.9%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (247)

247 pending

ProductAffected VersionsFix Status

MELSEC-F series CPU module FX3U-128MR/ES-A: vers:all/*All versionsNo fix yet

MELSEC-F series CPU module FX3UC-16MT/D: vers:all/*All versionsNo fix yet

MELSEC-F series CPU module FX3UC-32MT/D: vers:all/*All versionsNo fix yet

MELSEC-F series CPU module FX3UC-64MT/D: vers:all/*All versionsNo fix yet

MELSEC-F series CPU module FX3UC-96MT/D: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDImplement firewall rules to block all inbound Ethernet traffic to MELSEC/CNC controllers from untrusted networks or hosts

HARDENINGEnable IP filter function on iQ-F, iQ-R, iQ-L series, and M800V/M80V/M800/M80/E80 controllers to restrict access to known engineering workstations and authorized hosts only

HARDENINGFor Mitsubishi CNC M800V/M80V and M800/M80/E80 series, set parameter #11094 'GX Restriction' to 1 and configure the maintenance screen operation level to prevent unauthorized modifications

Long-term hardening

0/2

HARDENINGIsolate all affected PLC and CNC controllers to a dedicated industrial network segment with no direct connection to corporate networks or the Internet

HARDENINGRestrict physical access to all MELSEC and CNC controllers and the network cables connecting them to prevent direct tampering or rogue device insertion

CVEs (1)

CVE-2023-4699

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/85f44f39-d399-47dd-961a-3a9d38698ac5

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.