CVE-2023-2063: Missing Authentication Vulnerability in Mitsubishi Electric MELSEC EtherNet/IP Module

ISGroup Cybersecurity

Mitsubishi Electric MELSEC iQ-R and iQ-F are Programmable Logic Controllers (PLCs) widely deployed in Industrial Control Systems (ICS) and Operational Technology (OT) environments. These modules are fundamental components in the automation of critical infrastructure, such as manufacturing plants, energy grids, and water treatment facilities. Their compromise can have severe consequences that go beyond simple data loss, including potential physical disruptions and safety incidents.

This vulnerability represents a high risk as it allows an unauthenticated remote attacker to gain complete control over the device’s file system. Although the CVSS score is 6.3 (Medium), the potential for operational disruption increases the real-world risk. Any network-accessible module with the FTP service enabled is exposed. An attacker could halt production, manipulate industrial processes, or create dangerous physical conditions.

Although there is no evidence of active exploitation in the wild and this CVE is not currently included in CISA’s Known Exploited Vulnerabilities (KEV) catalog, the availability of a public exploit increases the likelihood of future attacks. Organizations using these modules for critical processes should implement corrective measures immediately.

ProductMELSEC
Date2025-12-04 12:17:56

Technical Summary

The vulnerability is a CWE-306: Missing Authentication for Critical Function within the FTP service on specific MELSEC EtherNet/IP modules. The service does not implement adequate authentication controls, allowing any remote attacker on the network to connect and execute high-privilege operations on the file system without providing credentials.

The attack sequence is simple:

  1. An attacker identifies a vulnerable MELSEC module on the network with the FTP port (TCP/21) exposed.
  2. The attacker initiates an FTP connection using a stand-alone client.
  3. The FTP service grants immediate and unrestricted access to the device’s root file system.
  4. Using standard FTP commands (PUT, GET, DELE), the attacker can exfiltrate sensitive data, overwrite legitimate PLC logic files with malicious code, or delete critical system files to cause a Denial of Service (DoS).

By modifying the PLC logic, an attacker can achieve arbitrary code execution in the context of the industrial process, allowing for the direct manipulation of physical equipment.

Affected modules:

  • MELSEC iQ-R series EtherNet/IP module RJ71EIP91
  • MELSEC iQ-F series EtherNet/IP module FX5-ENET/IP

Users should consult Mitsubishi Electric for information on updated firmware versions.

Recommendations

  • Apply patches immediately: Contact Mitsubishi Electric to obtain and install the latest firmware updates for the affected RJ71EIP91 and FX5-ENET/IP modules.

  • Mitigations:

    • If FTP functionality is not essential for operations, disable the FTP service on the device immediately.
    • Implement strict network segmentation to isolate control system networks from corporate (IT) and external networks.
    • Use a firewall or Access Control Lists (ACLs) to restrict access to the FTP port (TCP/21) on the modules, allowing connections only from explicitly authorized engineering workstations or management servers.

  • Hunting and Monitoring:

    • Monitor network logs for any FTP connections to affected modules originating from untrusted or unauthorized IP addresses.
    • Implement file integrity monitoring on devices to detect unauthorized changes to PLC logic or configuration files.
    • Analyze device logs for unexplained reboots, logic changes, or errors that could indicate a compromise.

  • Incident Response:

    • If a compromise is suspected, follow the OT-specific incident response plan. Isolate compromised devices from the network to contain the threat and prevent lateral movement.
    • Create forensic images of the device’s memory and file system for subsequent analysis.

  • Defense in Depth:

    • Ensure that regular, verified backups of all PLC logic and configuration files are maintained.
    • Enforce strong access controls and authentication for all access to OT networks and devices.

[Callforaction-THREAT-Footer]