Mitsubishi Electric MELSEC iQ-F Series CPU Module Missing Authentication Vulnerability Allowing Unauthorized Access and Denial-of-Service

A vulnerability exists in the Mitsubishi Electric MELSEC iQ-F Series CPU module due to missing authentication for critical functions. This issue allows remote, unauthenticated attackers to read or write device values and disrupt program operations. The vulnerability arises because MODBUS/TCP lacks authentication features. Affected products include various models in the MELSEC iQ-F series, with specific version details available in the advisory.

Impact

Exploitation of this vulnerability could lead to unauthorized reading or writing of device values and the ability to stop program operations.

Remediation

Mitsubishi Electric has no plans to release a fixed version for this vulnerability. Users are advised to implement the following measures: use a firewall or VPN to prevent unauthorized access, block access from untrusted networks and hosts, use the IP filter function to block untrusted hosts, and restrict physical access to affected products and connected LANs.