CVE-2023-2061: Hardcoded FTP Password Vulnerability in Mitsubishi Electric MELSEC EtherNet/IP Modules

ISGroup Cybersecurity

Mitsubishi Electric MELSEC iQ-R and iQ-F are Programmable Logic Controller (PLC) modules widely used in Industrial Control Systems (ICS) and Operational Technology (OT) environments. These devices are fundamental components in the manufacturing, automation, and critical infrastructure sectors, managing sensitive and high-impact physical processes.

The primary risk stems from a hardcoded password in the FTP service, which allows an unauthenticated remote attacker with network access to gain full control of the device’s file system. This enables the possibility of interrupting or altering industrial processes, with potential consequences such as operational downtime, equipment damage, or the production of out-of-specification items.

Although this vulnerability is not included in CISA’s KEV catalog, a public exploit exists, and the simplicity of the attack (knowledge of a static password) makes its success highly likely. Any organization with network-accessible MELSEC iQ-R or iQ-F EtherNet/IP modules is at immediate risk. The impact is amplified in flat network architectures where IT and OT environments are not adequately segmented.

ProductMitsubishi Electric MELSEC EtherNet/IP Modules
Date2025-12-05 00:14:28

Technical Summary

The vulnerability is a CWE-798: Use of Hard-coded Credentials. A static and non-configurable password for the FTP service is embedded directly into the firmware of the affected Mitsubishi Electric MELSEC EtherNet/IP modules. An attacker with network access to the device’s FTP port can authenticate using this publicly known password.

The attack chain is simple:

  1. An attacker identifies a vulnerable MELSEC module on the network, such as RJ71EIP91 or FX5-ENET/IP.
  2. The attacker initiates an FTP connection to the device’s open FTP port (TCP/21).
  3. The attacker authenticates using the widely available hardcoded credentials.
  4. Once authenticated, the attacker gains full read, write, and delete privileges on the module’s file system.

This access allows an attacker to download sensitive project files, which may contain intellectual property related to the industrial process. More critically, an attacker can upload modified control logic to manipulate physical operations or delete critical system files, causing a denial-of-service (DoS) condition that halts production.

Affected Modules:

  • MELSEC iQ-R Series EtherNet/IP Module: RJ71EIP91
  • MELSEC iQ-F Series EtherNet/IP Module: FX5-ENET/IP

Users should consult Mitsubishi Electric advisories for information on updated firmware versions.

Recommendations

  • Apply patches immediately: Install the firmware updates provided by Mitsubishi Electric for the affected modules as soon as possible.
  • Mitigations:
    • If FTP functionality is not essential for business operations, disable the FTP server on the module.
    • Implement strict Access Control Lists (ACLs) and firewall rules to ensure that only authorized devices and personnel can access the FTP port (TCP/21) on the controllers.
    • Minimize the exposure of all control system devices to untrusted networks. Whenever possible, isolate OT networks from IT networks.

  • Hunting and Monitoring:

    • Actively monitor network traffic for FTP connections to the affected MELSEC modules. Investigate any connections originating from unauthorized or unexpected IP addresses.
    • Monitor the integrity of PLC project files. Implement a system to calculate file checksums and alert on any unauthorized changes.
    • Analyze audit logs for file access patterns indicating unauthorized enumeration or read/write/delete operations.

  • Incident Response:

    • In case of a suspected compromise, immediately isolate the affected modules from the network to prevent lateral movement or further disruption.
    • Perform a forensic analysis to determine the extent of the compromise.
    • Restore the device to a known, secure state using a trusted firmware image and a project file from a secure backup.

  • Defense in Depth:

    • Apply robust network segmentation between IT and OT environments to protect critical control systems.
    • Maintain secure, offline backups of all critical PLC configurations and project files.

[Callforaction-THREAT-Footer]