Session Fixation Vulnerability in MELSEC iQ-R Series by Mitsubishi Electric
CVE-2020-5654

7.5HIGH

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Melsec Iq-r Series
Vendor
CVE Published:
2 November 2020

Summary

A session fixation vulnerability exists in the TCP/IP function of the MELSEC iQ-R series firmware. This issue affects several modules, allowing remote unauthenticated attackers to disrupt network operations by sending specially crafted packets. As a result, compromised modules can cease network functionality, potentially impacting industrial control systems and operational efficiency. Users should review their firmware versions and apply necessary updates to mitigate this risk.

Affected Version(s)

MELSEC iQ-R series RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before

References

https://www.mitsubishielectric.co.jp/psirt/vulnerability/...
x_refsource_MISC
https://www.mitsubishielectric.com/en/psirt/vulnerability...
x_refsource_MISC
https://jvn.jp/vu/JVNVU92513419/index.html
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.