Mitsubishi Electric MELSEC iQ-R and iQ-F are high-performance PLC modules widely used in Industrial Control Systems (ICS) and Operational Technology (OT) environments. These modules play a fundamental role in automating complex industrial processes in sectors such as manufacturing, energy, and critical infrastructure. Their connectivity functionality with standard Ethernet networks makes them a crucial element for modern industrial operations.
A remote, unauthenticated attacker can completely compromise the file system of these essential devices. The impact is severe, with the potential to manipulate industrial processes, cause equipment damage, production downtime, or hazardous physical conditions. The vulnerability allows an attacker to overwrite control logic, effectively taking control of the automated process managed by the PLC.
The vulnerability has a public exploit, and CISA has issued an advisory (ICSA-23-131-01) highlighting the risk. Any organization using these modules with network-accessible FTP services is exposed to significant risk. This exposure is particularly critical in environments with flat networks or inadequate segmentation between IT and OT zones, where a compromise of the IT network can be leveraged to attack these critical control systems.
| Product | Mitsubishi Electric MELSEC |
| Date | 2025-12-05 00:29:51 |
Technical Summary
The vulnerability is a CWE-306: Missing Authentication for Critical Function in the FTP service of the affected Mitsubishi Electric MELSEC EtherNet/IP modules. The FTP server implementation does not enforce any authentication mechanism, allowing any remote attacker on the network to connect and perform arbitrary file operations.
An attacker can connect to the FTP service on the default port (TCP/21) and immediately gain privileged access to the device’s file system without having to provide a username or password. This allows for the unrestricted use of FTP commands such as PUT (upload), GET (download), and DELE (delete).
The attack chain is simple:
- The attacker identifies a vulnerable MELSEC module on the network with an exposed FTP service.
- They connect via a standard FTP client.
- The server grants access to the file system without a credential request.
- The attacker can upload malicious firmware or control logic to overwrite legitimate programs, exfiltrate sensitive project files, or delete critical configuration files to cause a Denial of Service (DoS).
Affected Modules:
- MELSEC iQ-R Series EtherNet/IP module: RJ71EIP91
- MELSEC iQ-F Series EtherNet/IP module: FX5-ENET/IP
Consult the Mitsubishi Electric bulletin for details on specific firmware versions. The vendor has released corrective firmware updates to address this vulnerability. An attacker can exploit this flaw to gain an initial foothold in the OT network and potentially cause severe physical disruption.
Recommendations
- Apply patches immediately: Install the latest firmware updates released by Mitsubishi Electric for the MELSEC iQ-R RJ71EIP91 and MELSEC iQ-F FX5-ENET/IP modules. Refer to CISA advisory ICSA-23-131-01 and vendor documentation for the correct versions.
- Mitigations:
- If the FTP service is not essential for operations, disable it on the module.
- Implement strict network segmentation to isolate all ICS/OT assets from corporate (IT) networks and the Internet. Control system networks should never be directly accessible from the Internet.
- Use a firewall and create explicit ACL rules to restrict access to the FTP port (TCP/21) of the modules exclusively to authorized IP addresses, such as engineering workstations.
- Monitoring and detection:
- Monitor network traffic for FTP connections to MELSEC modules originating from untrusted or unapproved OT subnets.
- Perform audits of firewall and network logs for anomalous or unauthorized access attempts to TCP port 21 on critical PLC modules.
- Implement, if possible, file integrity monitoring systems and compare current file hashes with known, verified backups to detect unauthorized changes.
- Incident response:
- In case of suspected compromise, follow established procedures to isolate the device from the network and prevent lateral movement or further process disruption.
- Do not immediately power off the device. Preserve a forensic image of the file system for analysis before restoring from a reliable, verified backup.
- Defense in depth:
- Maintain regular, offline backups of all PLC project files, logic, and configurations.
- Apply strict physical security controls for all control system cabinets and critical infrastructure assets.
[Callforaction-THREAT-Footer]
