A Widely Deployed Mitsubishi Industrial Controller Is Vulnerable to Remote Exploitation

  • All versions of the Mitsubishi Electric MELSEC iQ-R Series CPU module are vulnerable to remote exploitation.
  • There are no fixing patches available right now, so mitigation is the only way to address the threat.
  • With the issues going public, malicious actors are sure to ramp up their scanning efforts now.

CISA has released an urgent security notice to warn the public about a set of flaws that affect the MELSEC iQ-R Series CPU module by Mitsubishi Electric, which is deployed in critical manufacturing sectors around the world. There are no fixing patches to address the flaws yet, so users of the vulnerable product are urged to apply mitigations as soon as possible. Not responding to the emergency quickly puts the users at risk of unauthorized remote access, CPU module access, DoS, network traffic sniffing, and more.

The flaws are the following:

  • CVE-2021-20594: Brute-forcing the module remotely to acquire legitimate usernames. CVSS v3 – 5.9
  • CVE-2021-20597: Obtain unprotected credentials by sniffing the network traffic. CVSS v3 – 7.4
  • CVE-2021-20598: Lock out a legitimate user (denial of service) by remotely attempting to log in using a known username and incorrect passwords. CVSS v3 – 3.7
Source: Mitsubishi

The vulnerable products are all versions of the R08/16/32/120SFCPU and all versions of the R08/16/32/120PSFCPU. Mitsubishi has promised to push out firmware fixes for the first two of the flaws (the third one will be automatically addressed as a result). Still, until then, users are advised to apply the following mitigations:

  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Use the IP filter function* to restrict the accessible IP addresses.
  • Register user information or change the password via USB. If you have already registered user information or changed the user’s password via the network, change the password once via USB. This mitigation is applicable to CVE-2021-20597.

Since all three flaws can be exploited remotely, it is more likely for malicious actors to go hunting for them now that CISA has published an alert on them. As such, minimizing network exposure for all control systems and devices is key, as not showing up as vulnerable on network scans is a solid step to avoiding trouble. Another good practice would be to put those devices behind strict firewalls and isolate them from critical parts of your business network.

How to Watch Junior Bake Off 2023 (Season 8) Online from Anywhere
Get ready to watch juniors show off their baking skills! Junior Bake Off 2023 (Season 8) is all set to be aired!...
How to Watch How I Met Your Father Season 2 Online from Anywhere
How I Met Your Father Season 2 is set to hit the screens pretty soon. We have the premiere date, plot, cast,...
How to Watch Better Date Than Never Online: Stream the Dating Docuseries from Anywhere
Are you a docuseries lover? If so, we have a piece of exciting news! Better Date Than Never, a new six-episode series,...
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: Chrome, Edge, Firefox, Safari