CVE-2020-5652
📋 TL;DR
A denial-of-service vulnerability in Mitsubishi Electric MELSEC industrial control system CPU modules allows remote unauthenticated attackers to send specially crafted packets to Ethernet ports, causing communication functions to stop. This affects multiple series (iQ-R, Q, L) with various firmware versions, potentially disrupting industrial operations.
💻 Affected Systems
- MELSEC iQ-R series CPU modules
- MELSEC Q series CPU modules
- MELSEC L series CPU modules
📦 What is this software?
Melsec Iq R00cpu Firmware by Mitsubishielectric
Melsec Iq R01cpu Firmware by Mitsubishielectric
Melsec Iq R02cpu Firmware by Mitsubishielectric
Melsec Iq R04encpu Firmware by Mitsubishielectric
Melsec Iq R08encpu Firmware by Mitsubishielectric
Melsec Iq R08pcpu Firmware by Mitsubishielectric
Melsec Iq R08psfcpu Firmware by Mitsubishielectric
Melsec Iq R08sfcpu Firmware by Mitsubishielectric
Melsec Iq R120encpu Firmware by Mitsubishielectric
Melsec Iq R120pcpu Firmware by Mitsubishielectric
Melsec Iq R120psfcpu Firmware by Mitsubishielectric
Melsec Iq R120sfcpu Firmware by Mitsubishielectric
Melsec Iq R16encpu Firmware by Mitsubishielectric
Melsec Iq R16mtcpu Firmware by Mitsubishielectric
Melsec Iq R16pcpu Firmware by Mitsubishielectric
Melsec Iq R16psfcpu Firmware by Mitsubishielectric
Melsec Iq R16sfcpu Firmware by Mitsubishielectric
Melsec Iq R32encpu Firmware by Mitsubishielectric
Melsec Iq R32mtcpu Firmware by Mitsubishielectric
Melsec Iq R32pcpu Firmware by Mitsubishielectric
Melsec Iq R32psfcpu Firmware by Mitsubishielectric
Melsec Iq R32sfcpu Firmware by Mitsubishielectric
Melsec Iq R64mtcpu Firmware by Mitsubishielectric
Melsec L02cpu P Firmware by Mitsubishielectric
Melsec L06cpu P Firmware by Mitsubishielectric
Melsec L26cpu P Firmware by Mitsubishielectric
Melsec L26cpu Pbt Firmware by Mitsubishielectric
Melsec Q Q03udecpu Firmware by Mitsubishielectric
Melsec Q Q03udvcpu Firmware by Mitsubishielectric
Melsec Q Q04udehcpu Firmware by Mitsubishielectric
Melsec Q Q04udpvcpu Firmware by Mitsubishielectric
Melsec Q Q04udvcpu Firmware by Mitsubishielectric
Melsec Q Q06udehcpu Firmware by Mitsubishielectric
Melsec Q Q06udpvcpu Firmware by Mitsubishielectric
Melsec Q Q100udehcpu Firmware by Mitsubishielectric
Melsec Q Q10udehcpu Firmware by Mitsubishielectric
Melsec Q Q13udehcpu Firmware by Mitsubishielectric
Melsec Q Q13udpvcpu Firmware by Mitsubishielectric
Melsec Q Q13udvcpu Firmware by Mitsubishielectric
Melsec Q Q170mcpu Firmware by Mitsubishielectric
Melsec Q Q170mscpu S1 Firmware by Mitsubishielectric
Melsec Q Q172dcpu S1 Firmware by Mitsubishielectric
Melsec Q Q172dscpu Firmware by Mitsubishielectric
Melsec Q Q173dcpu S1 Firmware by Mitsubishielectric
Melsec Q Q173dscpu Firmware by Mitsubishielectric
Melsec Q Q20udehcpu Firmware by Mitsubishielectric
Melsec Q Q26udehcpu Firmware by Mitsubishielectric
Melsec Q Q26udpvcpu Firmware by Mitsubishielectric
Melsec Q Q26udvcpu Firmware by Mitsubishielectric
Melsec Q Q50udehcpu Firmware by Mitsubishielectric
Melsec Q Qmr Mq100 Firmware by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Complete loss of Ethernet communication on affected PLCs, halting industrial processes, disrupting manufacturing lines, and causing production downtime.
Likely Case
Temporary disruption of network communications to/from PLCs requiring manual restart or firmware update to restore functionality.
If Mitigated
Isolated PLCs with proper network segmentation experience no impact; affected systems can be restored via firmware updates.
🎯 Exploit Status
Crafted packet exploitation requires knowledge of protocol but no authentication; industrial control system vulnerabilities often have limited public exploit details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Updated firmware versions as specified in vendor advisories (e.g., R CPU firmware beyond '20', Q CPU serial numbers beyond specified ranges)
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf
Restart Required: Yes
Instructions:
1. Identify affected CPU module model and current firmware version. 2. Download appropriate firmware update from Mitsubishi Electric support portal. 3. Follow vendor firmware update procedures for industrial controllers. 4. Test communication functionality after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLC networks from untrusted networks using firewalls or network segmentation.
Access Control Lists
allImplement network ACLs to restrict access to PLC Ethernet ports to authorized systems only.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from untrusted networks
- Deploy intrusion detection/prevention systems to monitor for anomalous traffic patterns
🔍 How to Verify
Check if Vulnerable:
Check CPU module model and firmware version against affected lists in vendor advisory; verify if Ethernet communication is functional.Check Version:
Use Mitsubishi Electric engineering tools (GX Works3, etc.) to read CPU module firmware version from PLC.Verify Fix Applied:
After firmware update, verify Ethernet communication functions properly and check firmware version matches patched version.📡 Detection & Monitoring
Log Indicators:
- Unexpected loss of Ethernet communication logs in PLC diagnostic tools
- Network traffic anomalies to PLC ports
Network Indicators:
- Unusual packet patterns to PLC Ethernet ports (typically TCP/UDP)
- Sudden cessation of expected PLC communication traffic
SIEM Query:
source_ip=* AND dest_port IN (PLC_ports) AND packet_size/anomaly_detected🔗 References
- https://jvn.jp/vu/JVNVU96558207/index.html
- https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-013.pdf
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf
- https://jvn.jp/vu/JVNVU96558207/index.html
- https://www.mitsubishielectric.co.jp/psirt/vulnerability/pdf/2020-013.pdf
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-013_en.pdf
