Cleartext Transmission Vulnerability in Mitsubishi Electric MELSEC iQ-R Series CPUs
CVE-2021-20599

9.1CRITICAL

Key Information:

Vendor
Mitsubishi Electric Corporation
Status
Melsec Iq-r Series Safety Cpu R08sfcpu
Melsec Iq-r Series Safety Cpu R16sfcpu
Melsec Iq-r Series Safety Cpu R32sfcpu
Melsec Iq-r Series Safety Cpu R120sfcpu
Vendor
CVE Published:
14 October 2021

Summary

A vulnerability allowing remote, unauthenticated attackers to log into the MELSEC iQ-R series Safety and SIL2 Process CPUs by obtaining sensitive credentials, excluding passwords. This flaw is found in specific firmware versions and poses a significant security risk as it permits unauthorized access when sensitive information is transmitted in cleartext. Users are advised to update their firmware to mitigate potential attacks.

Affected Version(s)

MELSEC iQ-R Series Safety CPU R08SFCPU Firmware versions "26" and prior

MELSEC iQ-R series Safety CPU R120SFCPU Firmware versions "26" and prior

MELSEC iQ-R series Safety CPU R16SFCPU Firmware versions "26" and prior

References

https://www.mitsubishielectric.com/en/psirt/vulnerability...
vendor-advisory
https://jvn.jp/vu/JVNVU98578731
government-resource
https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03
government-resource

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.