Mitsubishi Electric Multiple Factory Automation Products (Update A)
Monitor5.3ICS-CERT ICSA-24-058-01Feb 27, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A TCP SYN Flood vulnerability exists in the Ethernet communication stack of Mitsubishi Electric factory automation products. Successful exploitation causes a temporary denial-of-service condition in network communication, preventing the device from responding to legitimate commands. Affected products include MELSEC iQ-R/iQ-L/iQ-F series PLCs and CPU modules, motion controller modules, CC-Link IE TSN network and remote I/O modules, FR-series inverter drives, and MR-series servo drives. All versions of all affected products are vulnerable. Mitsubishi Electric does not plan to release a fixed version.
What this means
What could happen
An attacker can send specially crafted TCP traffic to cause a temporary loss of network communication on affected Mitsubishi factory automation devices, interrupting data exchange between PLCs, motion controllers, inverters, and field devices until the device recovers.
Who's at risk
Factory automation teams operating Mitsubishi Electric MELSEC iQ-R, iQ-L, and iQ-F PLCs; motion controllers; CC-Link IE TSN network modules and remote I/O devices; inverter drives (FR series); and servo drives (MR-J5, MR-JET, MR-MD333G series). This affects both energy sector deployments and general manufacturing automation.
How it could be exploited
An attacker on the network sends a TCP SYN Flood attack (many half-open connection requests) to the Ethernet port of the affected device. The device's Ethernet stack becomes overwhelmed and stops responding to legitimate commands, causing a temporary denial of service lasting minutes to hours depending on recovery time.
Prerequisites
- Network access to the device's Ethernet port (port 502 for CC-Link IE TSN, standard industrial Ethernet ports for others)
- No authentication required - the attack works at the network layer before credentials are checked
Remotely exploitable over EthernetNo authentication requiredLow attack complexityAffects core industrial PLC and motion control devicesNo vendor patch planned - all versions affected with no fix availableWidely deployed in critical infrastructure (energy sector flagged)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (159)
159 pending
ProductAffected VersionsFix Status
CC-Link IE TSN Digital-Analog Converter Module NZ2GN2B-60DA4: vers:all/*All versionsNo fix yet
CC-Link IE TSN - CC-Link IE Field Network Bridge Module NZ2GN-GFB: vers:all/*All versionsNo fix yet
CC-Link IE TSN - AnyWireASLINK Bridge Module NZ2AW1GNAL: vers:all/*All versionsNo fix yet
CC-Link IE TSN FPGA Module NZ2GN2S-D41P01: vers:all/*All versionsNo fix yet
CC-Link IE TSN FPGA Module NZ2GN2S-D41D01: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/3HARDENINGDeploy a firewall to block access from untrusted networks and hosts to Mitsubishi devices
HARDENINGUse a VPN for remote access to devices requiring Internet connectivity
WORKAROUNDConfigure IP filter function on supported models (MELSEC iQ-R, iQ-L, iQ-F series) to block connections from untrusted hosts
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGOperate all affected devices within a LAN only; block external network access
Long-term hardening
0/1HARDENINGRestrict physical access to affected devices and the LAN segment they occupy
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/24a04189-12bf-471e-bc34-dca4f675bc7f