OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC iQ-R Series

Act Now9.4ICS-CERT ICSA-26-036-02Feb 5, 2026
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

MELSEC iQ-R Series CPUs (R08/R16/R32/R120) firmware versions 48 and earlier contain a vulnerability that allows an attacker with network access to read device data and control program code from the device, write data or modify setpoints, or cause the device to stop responding (denial of service). The vulnerability is exploitable without authentication over the Ethernet port.

What this means
What could happen
An attacker with network access to a MELSEC iQ-R PLC could read control programs and device data, modify data or setpoints, or crash the controller, disrupting production or critical process control.
Who's at risk
Energy sector operators using Mitsubishi Electric MELSEC iQ-R series programmable logic controllers (PLC CPUs R08, R16, R32, R120) should assess this vulnerability. The iQ-R is commonly used in power distribution, substation control, and critical infrastructure automation. Any plant or utility with these PLCs exposed to a network is at risk.
How it could be exploited
An attacker on the network sends a crafted request to the Ethernet port of the MELSEC iQ-R CPU unit (port 502 or similar industrial protocol port). No authentication is required. The device responds with data read from memory, accepts writes to device data areas, or crashes when processing a malformed command.
Prerequisites
  • Network access to the MELSEC iQ-R CPU Ethernet port
  • Device running firmware version 48 or earlier
  • No authentication credentials required
remotely exploitableno authentication requiredlow complexity attackhigh CVSS (9.4)affects process control systemsaffects safety-critical operations
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (1)
ProductAffected VersionsFix Status
MELSEC iQ-R Series R08/16/32/120PCPU firmware: <=48≤ 4849 or later
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDRestrict network access to the MELSEC iQ-R CPU using a firewall; block inbound connections from untrusted networks and external sources
HARDENINGEnable the IP filter function on the MELSEC iQ-R CPU to limit connections to authorized engineering workstations and SCADA systems only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC iQ-R R08/R16/R32/R120 firmware to version 49 or later using the official firmware update procedure from Mitsubishi Electric
Long-term hardening
0/2
HARDENINGIsolate the MELSEC iQ-R controller to a dedicated industrial network segment (VLAN) separated from corporate IT networks by a firewall
HARDENINGRestrict physical access to the MELSEC iQ-R CPU and connected LAN cables to authorized personnel only
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/54c14416-8457-42fa-83af-f232c42b0d40
Mitsubishi Electric MELSEC iQ-R Series | CVSS 9.4 - OTPulse