A high-severity vulnerability exists in multiple Mitsubishi Electric industrial control products due to a lack of authentication in the MODBUS/TCP communication protocol. This flaw could allow an unauthenticated attacker with network access to remotely manipulate device operations, potentially causing process disruption, equipment damage, or unsafe physical conditions.

The vulnerability, identified as CWE-306: Missing Authentication for Critical Function, exists within the MODBUS/TCP implementation of the affected Mitsubishi Electric MELSEC iQ-F Series CPU modules. The protocol itself does not require any form of authentication, allowing any device on the network to send commands. An unauthenticated remote attacker can exploit this by sending specially crafted MODBUS/TCP packets to a vulnerable device to read sensitive operational data, write malicious values to device registers, or issue commands to stop the CPU, thereby halting the industrial process it controls.

This vulnerability is rated as High severity with a CVSS score of 7.3, reflecting the significant risk it poses to operational technology (OT) environments. Successful exploitation could lead to severe business consequences, including production downtime, loss of operational view, and manipulation of physical processes. Specific risks include spoilage of manufactured goods, damage to expensive industrial machinery, and potential safety incidents for personnel working near the controlled equipment. The financial and reputational damage from such an event could be substantial.

Immediate Action: The primary remediation is to apply the security updates provided by Mitsubishi Electric to all affected devices immediately. Before applying updates, ensure proper backup and testing procedures are followed in a non-production environment to avoid operational disruption. After patching, continue to monitor for any anomalous activity.

Proactive Monitoring: Implement network security monitoring to detect and alert on suspicious MODBUS/TCP traffic. Specifically, monitor for an unusual volume of write commands (e.g., Function Codes 5, 6, 15, 16) or stop commands originating from unauthorized IP addresses. Review device and network logs for unexpected reboots, program halts, or configuration changes that do not correlate with scheduled maintenance.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to reduce the risk of exploitation:

• Ensure the control system network is isolated from corporate and external networks using firewalls and a properly configured DMZ.
• Implement strict Access Control Lists (ACLs) on firewalls and network switches to restrict communication on the MODBUS/TCP port (TCP/502) to only authorized devices, such as specific HMIs or engineering workstations.
• Disable the MODBUS/TCP service on the device if it is not required for operations.
• Utilize a secure remote access solution, such as a VPN with multi-factor authentication, for any remote connections to the OT network.

Public Exploit Available: false

Given the high severity of this vulnerability and its potential to cause significant operational disruption and physical impact, immediate action is required. We strongly recommend that organizations prioritize the deployment of the vendor-supplied patches to all affected Mitsubishi Electric products. While this CVE is not currently listed on the CISA KEV catalog, the inherent risk to critical operational processes warrants urgent attention. If patching must be delayed, the compensating controls outlined above, particularly network segmentation and access restriction, must be implemented without delay to mitigate the immediate threat.