CVE-2023-2060: Weak Password Vulnerability in Mitsubishi Electric MELSEC FTP Server

ISGroup Cybersecurity

Mitsubishi Electric MELSEC iQ-R and iQ-F are programmable logic controllers (PLCs) used globally in industrial control systems (ICS) and operational technology (OT) environments. These devices are fundamental for automating production processes, controlling machinery, and managing infrastructure. A vulnerability in such a critical component poses a significant risk to operational integrity and security.

The primary risk consists of unauthorized remote access to the PLC file system via the integrated FTP server. This could allow an attacker to manipulate the PLC logic, causing production interruptions, equipment damage, or hazardous operating conditions. Although there are no public reports of active exploitation and this CVE is not currently listed in CISA’s KEV (Known Exploited Vulnerabilities) catalog, the attack vector (brute-forcing weak credentials) is trivial to execute for anyone with network access to the device.

Any organization using these MELSEC EtherNet/IP modules should consider this vulnerability a high-priority issue. Exposure is particularly critical in environments with flat networks where IT systems can communicate directly with OT assets or where remote access to the OT network is not adequately secured.

ProductMitsubishi Electric MELSEC iQ-R/F Series
Date2025-12-05 00:26:01

Technical Summary

The root cause of this vulnerability is CWE-521: Weak Password Requirements for the integrated FTP server function in the affected EtherNet/IP modules. The firmware does not enforce complexity rules, allowing operators to set simple and easily guessable passwords, which are vulnerable to dictionary or brute-force attacks.

An attacker with network access to the module’s FTP port can systematically attempt to log in using a list of common or default credentials.

Attack Chain:

  1. An attacker scans the network and identifies an open FTP port on a MELSEC EtherNet/IP module.
  2. The attacker launches a dictionary or brute-force attack against the FTP authentication mechanism.
  3. Due to weak password policies, the attacker successfully authenticates.
  4. Once authenticated, the attacker has read, write, and delete permissions on the PLC file system. This can be exploited to exfiltrate sensitive configuration data, upload malicious logic, or delete critical files to cause a denial of service.

Affected Modules:

  • MELSEC iQ-R Series EtherNet/IP Module: Model RJ71EIP91
  • MELSEC iQ-F Series EtherNet/IP Module: Model FX5-ENET/IP

There is no specific patch for this issue, as it is considered a configuration weakness. The vendor recommends implementing security best practices.

Recommendations

  • Apply vendor mitigations immediately: Enforce the use of strong, complex, and unique passwords for the FTP server and all other PLC interfaces. Refer to the vendor’s guidelines for password configuration.
  • Restrict network access: If the FTP server functionality is not essential for operations, disable it. If it is required, implement restrictive firewall rules and access control lists (ACLs) to ensure that only authorized systems can communicate with the PLC’s FTP port.
  • Isolate control systems: Implement network segmentation to isolate critical OT networks from corporate IT networks. This prevents attackers from moving laterally from a compromised IT system to a sensitive control system. Use a DMZ architecture for any necessary data transfers.
  • Hunting and monitoring:
    • Monitor network traffic to detect an abnormal volume of failed FTP login attempts directed at PLC devices. This is a primary indicator of an ongoing brute-force attack.
    • Implement a file integrity monitoring (FIM) solution or perform periodic audits of the PLC file system to detect unauthorized changes, additions, or deletions.

  • Incident response: In case of a suspected compromise, immediately isolate the affected module from the network to contain the threat. Activate the facility’s incident response plan and preserve logs and forensic data for investigation.
  • Defense in depth: Ensure that engineering workstations are secured and that the use of removable media is strictly controlled. Maintain and test offline backups of known-good PLC configurations and logic to allow for rapid recovery.

[Callforaction-THREAT-Footer]