Mitsubishi Electric MELSEC iQ-R and iQ-F are industrial control modules used in critical infrastructure and manufacturing sectors to automate complex processes. The business criticality of these devices is extremely high, as their compromise can lead to severe operational disruptions, production downtime, and potential physical safety risks.
The primary risk stems from an insufficient password management policy for the FTP service, which allows the use of weak or easily guessable credentials. This makes the modules highly vulnerable to unauthorized access by remote, unauthenticated attackers. Although no cases of active exploitation of this vulnerability have been reported in the current scenario, it is included in a CISA ICS (Industrial Control Systems) advisory, and a public exploit is available. The low complexity required for the attack makes any device exposed to the internet or not properly segmented a valuable target for opportunistic or targeted attacks. Organizations that do not enforce robust password criteria on these devices are at immediate risk of compromise.
| Product | MELSEC iQ-R/F Series EtherNet/IP |
| Date | 2025-12-04 12:40:00 |
Technical Summary
The root cause of this vulnerability is classified as CWE-521: Weak Password Requirements. The FTP service on the affected Mitsubishi Electric MELSEC modules does not enforce complexity, length, or rotation requirements for passwords, thereby allowing administrators to set trivial or default credentials. An attacker can exploit this weakness without authentication by performing dictionary or brute-force attacks against the FTP service.
The attack sequence unfolds as follows:
- An attacker identifies an exposed FTP service (TCP port 21) on a vulnerable MELSEC module.
- The attacker initiates a high number of login attempts using a list of common or default passwords.
- Due to the absence of password complexity requirements and the potential lack of brute-force protection, the attacker eventually succeeds in guessing the correct credentials.
- After successfully authenticating, the attacker gains full read, write, and delete access to the module’s file system via the FTP protocol.
This access allows the attacker to manipulate critical files, including PLC logic, project files, and system configurations. Altering PLC logic can directly modify the industrial process controlled by the device, leading to plant damage or hazardous operating conditions.
Affected Modules:
- MELSEC iQ-R Series EtherNet/IP module RJ71EIP91
- MELSEC iQ-F Series EtherNet/IP module FX5-ENET/IP
There is no specific patch available for this issue, as it is a configuration weakness. Mitigation requires the adoption of secure configuration practices.
Recommendations
- Apply immediate configuration changes: This vulnerability is mitigated through user action, not a software patch. Immediately apply a strong, complex, and unique password for the FTP service on all affected MELSEC modules.
- Network segmentation and access control: Ensure that the affected modules are not exposed to the internet. Limit access to the FTP service (TCP port 21) to a dedicated management VLAN or a limited set of authorized IP addresses. Adopt a Zero Trust security model where possible.
- Disable unnecessary services: If the FTP service is not essential for operations, disable it completely on the module to eliminate this attack surface.
- Hunt & Monitor:
- Monitor network logs to detect a high number of failed FTP login attempts against MELSEC modules, a possible sign of an ongoing brute-force attack.
- Check firewall logs for any unauthorized connection attempts on TCP port 21 toward devices within the OT network.
- Implement critical file integrity monitoring systems to detect unauthorized changes.
- Incident management:
- If a compromise is suspected, immediately isolate the affected device from the network to prevent further impact.
- Conduct a forensic analysis to determine the extent of the intrusion.
- Restore the device from a clean backup made before the suspected compromise and set a robust password before reconnecting it to the network.
- Defense in depth:
- Regularly audit the configurations of all ICS devices to identify and correct weak passwords and insecure settings.
- Maintain offline backups of all PLC logic and configuration files.
[Callforaction-THREAT-Footer]
