Mitsubishi Electric MELSEC iQ-R and iQ-F Series are programmable logic controllers (PLCs) commonly used in industrial control systems (ICS) and operational technology (OT) environments to automate production processes. These devices are critical for factory operations, machinery management, and production continuity. A vulnerability in such a critical component poses a significant risk to industrial operations.
The primary risk is the possibility for an unauthenticated remote attacker to gain FTP access to the device’s file system. This would compromise the integrity and availability of the industrial process controlled by the PLC. Although there have been no public reports of active exploitation of this specific vulnerability, its low attack complexity and the public availability of exploit information make it a critical threat. All network-accessible MELSEC modules are at risk, especially in flat networks where OT and IT systems are not properly segmented. Unauthorized access could cause operational disruptions, equipment damage, or unsafe conditions.
| Product | Mitsubishi Electric MELSEC |
| Date | 2025-12-04 12:28:03 |
Technical Summary
The root cause of this vulnerability is CWE-798: Use of Hard-coded Credentials. A static, non-changeable password for the FTP service is embedded directly within the firmware of the affected EtherNet/IP modules. This password is the same for all vulnerable devices.
The attack sequence is straightforward:
- An attacker with access to the MELSEC module’s network identifies the open FTP port (TCP/21).
- The attacker uses the publicly known hard-coded password to authenticate to the FTP service.
- After successful authentication, the attacker gains read, write, and delete access to the module’s file system.
This access allows an adversary to download sensitive configuration files, upload modified or malicious firmware, or change operational parameters with the intent to disrupt or sabotage the industrial process managed by the PLC.
Affected Modules:
- MELSEC iQ-R Series EtherNet/IP module RJ71EIP91
- MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP
Users should consult the manufacturer’s official communications to obtain information on the correct firmware versions.
Recommendations
- Apply patches immediately: Consult Mitsubishi Electric’s advisories for the correct firmware versions for the affected MELSEC iQ-R and iQ-F series modules and apply them as soon as possible, following the testing procedures required for OT environments.
- Mitigation measures:
- If the FTP functionality is not required, disable the service on the module.
- Implement strict network segmentation to isolate the ICS/OT network from the corporate IT network and the Internet.
- Use Access Control Lists (ACLs) on firewalls and network switches to restrict access to the module’s FTP port (TCP/21) exclusively to authorized engineering workstations or management servers.
- Detection and monitoring activities:
- Monitor network logs for any FTP connection attempts to the affected modules originating from unauthorized IP addresses.
- Verify firewall and switch configurations to ensure that no unauthorized paths exist toward the sensitive OT network.
- Incident response:
- In case of suspected compromise, immediately isolate the affected module from the network to prevent lateral movement or further impact on the industrial process.
- Retain the device for forensic analysis and restore configuration and firmware from a known, secure backup.
- Defense in depth:
- Ensure that secure, offline backups of PLC configurations and firmware are maintained.
- Implement a robust asset management program to track all OT devices and their respective firmware versions, in order to promptly identify vulnerable systems.
[Callforaction-THREAT-Footer]
