Improper Access Control in MELSEC iQ-R Series and Network Interface Modules
CVE-2020-5656

9.8CRITICAL

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Melsec Iq-r Series
Vendor
CVE Published:
2 November 2020

Summary

An improper access control vulnerability exists in the TCP/IP functions of various MELSEC iQ-R series modules. Attackers can exploit this flaw to disrupt network operations or execute unauthorized programs by sending specially crafted packets. This flaw impacts specific firmware versions, particularly those with serial numbers below certain thresholds, allowing potential exploitation by remote, unauthenticated attackers.

Affected Version(s)

MELSEC iQ-R series RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before

References

https://www.mitsubishielectric.co.jp/psirt/vulnerability/...
x_refsource_MISC
https://www.mitsubishielectric.com/en/psirt/vulnerability...
x_refsource_MISC
https://jvn.jp/vu/JVNVU92513419/index.html
x_refsource_MISC

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.