Command Injection Flaw in Mitsubishi MELSEC iQ-R Series Network Modules
CVE-2020-5657

6.5MEDIUM

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Melsec Iq-r Series
Vendor
CVE Published:
2 November 2020

Summary

A command injection vulnerability exists in the TCP/IP functionality of Mitsubishi's MELSEC iQ-R series network modules. This flaw allows attackers on the adjacent network to disrupt network operations by sending specially crafted packets. The impacted modules include RJ71EIP91, RJ71PN92, RD81DL96, RD81MES96N, and RD81OPC96, particularly those with specific serial number limitations. This risk emphasizes the importance of securing network interfaces to prevent unauthorized access and maintain operational integrity.

Affected Version(s)

MELSEC iQ-R series RJ71EIP91 EtherNet/IP Network Interface Module First 2 digits of serial number are '02' or before, RJ71PN92 PROFINET IO Controller Module First 2 digits of serial number are '01' or before, RD81DL96 High Speed Data Logger Module First 2 digits of serial number are '08' or before, RD81MES96N MES Interface Module First 2 digits of serial number are '04' or before, and RD81OPC96 OPC UA Server Module First 2 digits of serial number are '04' or before

References

https://www.mitsubishielectric.co.jp/psirt/vulnerability/...
x_refsource_MISC
https://www.mitsubishielectric.com/en/psirt/vulnerability...
x_refsource_MISC
https://jvn.jp/vu/JVNVU92513419/index.html
x_refsource_MISC

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.