A Widely Deployed Mitsubishi Industrial Controller Is Vulnerable to Remote Exploitation

Written by Bill Toulas
Published on September 8, 2021

CISA has released an urgent security notice to warn the public about a set of flaws that affect the MELSEC iQ-R Series CPU module by Mitsubishi Electric, which is deployed in critical manufacturing sectors around the world. There are no fixing patches to address the flaws yet, so users of the vulnerable product are urged to apply mitigations as soon as possible. Not responding to the emergency quickly puts the users at risk of unauthorized remote access, CPU module access, DoS, network traffic sniffing, and more.

The flaws are the following:

Source: Mitsubishi

The vulnerable products are all versions of the R08/16/32/120SFCPU and all versions of the R08/16/32/120PSFCPU. Mitsubishi has promised to push out firmware fixes for the first two of the flaws (the third one will be automatically addressed as a result). Still, until then, users are advised to apply the following mitigations:

Since all three flaws can be exploited remotely, it is more likely for malicious actors to go hunting for them now that CISA has published an alert on them. As such, minimizing network exposure for all control systems and devices is key, as not showing up as vulnerable on network scans is a solid step to avoiding trouble. Another good practice would be to put those devices behind strict firewalls and isolate them from critical parts of your business network.

For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: