Mitsubishi Electric MELSEC iQ-F Series

Monitor7.5ICS-CERT ICSA-24-324-01Nov 19, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET and FX5-ENET/IP communication modules. A remote attacker can send a malicious packet to the Ethernet port, causing the module to stop responding and halting network communication until the module is manually reset. The vulnerability affects FX5-ENET versions 1.100 and later, and FX5-ENET/IP versions 1.100 through 1.105.

What this means

What could happen

An attacker on your network could send malicious packets to an FX5-ENET or FX5-ENET/IP module, causing it to stop communicating on Ethernet and interrupting operations. The module requires a manual reset to recover.

Who's at risk

Energy utilities operating Mitsubishi Electric MELSEC iQ-F Series programmable logic controllers (PLCs) with FX5-ENET or FX5-ENET/IP communication modules should assess this risk. Affected equipment includes any FX5-ENET module and FX5-ENET/IP modules running firmware older than version 1.106.

How it could be exploited

An attacker with network access to the FX5-ENET or FX5-ENET/IP module can send a specially crafted packet to the Ethernet port, triggering a denial-of-service condition that causes the module to stop responding. The attack requires only network reachability—no credentials or authentication are needed.

Prerequisites

Network access to the FX5-ENET or FX5-ENET/IP module on port 502 (MELSEC port) or port 44818 (EtherNet/IP default port)
No authentication required
Device must be reachable from the attacker's network segment

remotely exploitableno authentication requiredlow complexityaffects PLC communication modulenetwork isolation required for mitigation

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

MELSEC iQ-F Series FX5-ENET: >=1.100≥ 1.100No fix (EOL)

MELSEC iQ-F Series FX5-ENET/IP: >=1.100|<1.104≥ 1.100|<1.104No fix (EOL)

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDBlock network access to the FX5-ENET and FX5-ENET/IP modules from untrusted networks and hosts using firewalls

WORKAROUNDEnable IP filter function on the module to restrict access from untrusted hosts (refer to MELSEC iQ-F FX5 User's Manual Communication section 13.1)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC iQ-F Series FX5-ENET/IP to firmware version 1.106 or later

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: MELSEC iQ-F Series FX5-ENET: >=1.100, MELSEC iQ-F Series FX5-ENET/IP: >=1.100|<1.104. Apply the following compensating controls:

HARDENINGRestrict physical access to the module and to computers and network devices on the same network segment

HARDENINGIsolate the control system network from the business network and locate it behind a firewall

HARDENINGUse VPN for any required remote access to the control system network

CVEs (1)

CVE-2024-8403

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d651e215-e15e-4445-8235-c00015bc7fa2