Mitsubishi Electric MELSEC-Q/L Series (Update B)

Act Now9.8ICS-CERT ICSA-24-074-14Mar 14, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric MELSEC-Q and MELSEC-L Series programmable logic controllers (PLCs) contain vulnerabilities that allow a remote attacker to read arbitrary information or execute arbitrary code by sending a specially crafted packet. The vulnerabilities affect multiple CPU models with serial numbers where the first 5 digits are "26061" or earlier (Q-series) or "26041" or earlier (L-series).

What this means

What could happen

An attacker with network access to an affected MELSEC PLC could read sensitive data from the device memory or execute arbitrary code, potentially altering process logic, disabling safety interlocks, or stopping critical plant operations like power generation or distribution.

Who's at risk

Energy sector utilities operating MELSEC-Q or MELSEC-L series PLCs are directly affected. These controllers are commonly used in power generation facilities, substations, and distribution systems for process control and automation. Any organization using these legacy Mitsubishi controllers for critical operational functions should assess their exposure immediately.

How it could be exploited

An attacker sends a specially crafted network packet to the PLC on its industrial protocol port (typically Ethernet). The PLC processes the malformed packet without proper validation, allowing the attacker to either read memory contents or inject and execute malicious code directly on the CPU. No authentication is required.

Prerequisites

Network access to the MELSEC PLC on its industrial Ethernet port
PLC must have serial number with first 5 digits of 26061 (Q-series) or 26041 (L-series) or earlier
No authentication credentials required

remotely exploitableno authentication requiredlow complexityno patch availablehigh CVSS (9.8)affects critical control systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (22)

22 with fix

ProductAffected VersionsFix Status

MELSEC-Q Series Q10UDEHCPU: <=The_first_5_digits_of_serial_No._"26061"≤ The first 5 digits of serial No. "26061"Serial number 26062 or later

MELSEC-Q Series Q13UDEHCPU: <=The_first_5_digits_of_serial_No._"26061"≤ The first 5 digits of serial No. "26061"Serial number 26062 or later

MELSEC-Q Series Q20UDEHCPU: <=The_first_5_digits_of_serial_No._"26061"≤ The first 5 digits of serial No. "26061"Serial number 26062 or later

MELSEC-Q Series Q26UDEHCPU: <=The_first_5_digits_of_serial_No._"26061"≤ The first 5 digits of serial No. "26061"Serial number 26062 or later

MELSEC-Q Series Q50UDEHCPU: <=The_first_5_digits_of_serial_No._"26061"≤ The first 5 digits of serial No. "26061"Serial number 26062 or later

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGIdentify all MELSEC-Q and MELSEC-L CPUs in your environment by checking serial numbers (first 5 digits); units with 26061 or earlier (Q-series) and 26041 or earlier (L-series) are vulnerable

WORKAROUNDImplement firewall rules to block all network access to affected PLCs from untrusted networks and the Internet; restrict communications to only authorized engineering workstations and HMI systems on your control network

HARDENINGSegment the PLC network from corporate IT and guest networks using physical or logical separation (VLAN); ensure control system traffic does not route through internet-connected gateways

HARDENINGRestrict physical access to affected PLCs, engineering laptops, and network cabling in the plant; implement badge access controls in control rooms and equipment areas

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXIf firmware updates are available from Mitsubishi (serial numbers 26062 or later for Q-series, 26042 or later for L-series), schedule maintenance window to upgrade affected units

HARDENINGInstall and maintain antivirus software on all engineering workstations that have access to affected PLCs

Long-term hardening

0/1

HARDENINGPlan replacement of affected MELSEC-Q and MELSEC-L controllers with Mitsubishi MELSEC iQ-R Series as part of long-term asset refresh cycle

CVEs (5)

CVE-2024-0802 CVE-2024-0803 CVE-2024-1915 CVE-2024-1916 CVE-2024-1917

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/61b05b47-17b1-4efa-ac65-51c2a68c5d86