Mitsubishi Electric Multiple Factory Automation Products (Update A)

MonitorCVSS 5.3ICS-CERT ICSA-24-058-01Feb 27, 2024

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A TCP SYN Flood vulnerability exists in the Ethernet communication stack of Mitsubishi Electric factory automation products. Successful exploitation causes a temporary denial-of-service condition in network communication, preventing the device from responding to legitimate commands. Affected products include MELSEC iQ-R/iQ-L/iQ-F series PLCs and CPU modules, motion controller modules, CC-Link IE TSN network and remote I/O modules, FR-series inverter drives, and MR-series servo drives. All versions of all affected products are vulnerable. Mitsubishi Electric does not plan to release a fixed version.

What this means

What could happen

An attacker can send specially crafted TCP traffic to cause a temporary loss of network communication on affected Mitsubishi factory automation devices, interrupting data exchange between PLCs, motion controllers, inverters, and field devices until the device recovers.

Who's at risk

Factory automation teams operating Mitsubishi Electric MELSEC iQ-R, iQ-L, and iQ-F PLCs; motion controllers; CC-Link IE TSN network modules and remote I/O devices; inverter drives (FR series); and servo drives (MR-J5, MR-JET, MR-MD333G series). This affects both energy sector deployments and general manufacturing automation.

How it could be exploited

An attacker on the network sends a TCP SYN Flood attack (many half-open connection requests) to the Ethernet port of the affected device. The device's Ethernet stack becomes overwhelmed and stops responding to legitimate commands, causing a temporary denial of service lasting minutes to hours depending on recovery time.

Prerequisites

Network access to the device's Ethernet port (port 502 for CC-Link IE TSN, standard industrial Ethernet ports for others)
No authentication required - the attack works at the network layer before credentials are checked

Remotely exploitable over EthernetNo authentication requiredLow attack complexityAffects core industrial PLC and motion control devicesNo vendor patch planned - all versions affected with no fix availableWidely deployed in critical infrastructure (energy sector flagged)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (159)

159 pending

ProductAffected VersionsFix Status

CC-Link IE TSN Digital-Analog Converter Module NZ2GN2B-60DA4: vers:all/*All versionsNo fix yet

CC-Link IE TSN - CC-Link IE Field Network Bridge Module NZ2GN-GFB: vers:all/*All versionsNo fix yet

CC-Link IE TSN - AnyWireASLINK Bridge Module NZ2AW1GNAL: vers:all/*All versionsNo fix yet

CC-Link IE TSN FPGA Module NZ2GN2S-D41P01: vers:all/*All versionsNo fix yet

CC-Link IE TSN FPGA Module NZ2GN2S-D41D01: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGDeploy a firewall to block access from untrusted networks and hosts to Mitsubishi devices

HARDENINGUse a VPN for remote access to devices requiring Internet connectivity

WORKAROUNDConfigure IP filter function on supported models (MELSEC iQ-R, iQ-L, iQ-F series) to block connections from untrusted hosts

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGOperate all affected devices within a LAN only; block external network access

Long-term hardening

0/1

HARDENINGRestrict physical access to affected devices and the LAN segment they occupy

CVEs (1)

CVE-2023-7033

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/24a04189-12bf-471e-bc34-dca4f675bc7f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.