CVE-2020-5666 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2020-5666?

CVE-2020-5666 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause a denial-of-service condition in Mitsubishi Electric MELSEC iQ-R Series CPU Modules by sending specially crafted HTTP packets. The attack can disrupt program execution and communication in affected industrial control systems. Organizations using these specific PLC models with vulnerable firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause a denial-of-service condition in Mitsubishi Electric MELSEC iQ-R Series CPU Modules by sending specially crafted HTTP packets. The attack can disrupt program execution and communication in affected industrial control systems. Organizations using these specific PLC models with vulnerable firmware versions are affected.

💻 Affected Systems

Products:

Mitsubishi Electric MELSEC iQ-R Series CPU Modules

Versions: R00/01/02CPU Firmware versions '05' to '19'; R04/08/16/32/120(EN)CPU Firmware versions '35' to '51'

Operating Systems: Embedded firmware on PLC hardware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific CPU modules in the iQ-R series with HTTP services enabled (common in default configurations for remote monitoring).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete disruption of industrial processes controlled by the PLC, potentially causing production downtime, safety system failures, or equipment damage in critical infrastructure.

🟠

Likely Case

Temporary denial-of-service affecting PLC communication and program execution, requiring manual intervention to restart the affected CPU module.

🟢

If Mitigated

No impact if systems are properly segmented and HTTP access is restricted to trusted networks only.

🌐 Internet-Facing: HIGH - If PLCs are directly exposed to the internet, attackers can easily trigger the DoS condition remotely.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but network segmentation reduces risk.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted HTTP packets to the vulnerable service. No authentication is required, making this easily exploitable by attackers with network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R00/01/02CPU Firmware version '20' or later; R04/08/16/32/120(EN)CPU Firmware version '52' or later

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-015_en.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Mitsubishi Electric support portal. 2. Backup current program and configuration. 3. Apply firmware update using engineering software (MELSOFT). 4. Restart CPU module. 5. Verify firmware version and restore program if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to PLC HTTP services using firewalls or network segmentation.

Disable HTTP Service

all

Disable the HTTP server functionality on affected CPU modules if not required for operations.

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP traffic to trusted sources only
Deploy intrusion detection systems to monitor for anomalous HTTP traffic patterns

🔍 How to Verify

Check if Vulnerable:

Check CPU module firmware version via engineering software or web interface. Compare against affected version ranges.

Check Version:

Use MELSOFT engineering software or access CPU module web interface to view firmware version information.

Verify Fix Applied:

Confirm firmware version is updated to patched versions: R00/01/02CPU ≥ '20' or R04/08/16/32/120(EN)CPU ≥ '52'.

📡 Detection & Monitoring

Log Indicators:

CPU module error logs showing communication failures
HTTP service crash or restart events
Unusual HTTP request patterns in web server logs

Network Indicators:

Anomalous HTTP traffic to PLC ports (typically 80/443)
Multiple malformed HTTP requests from single sources
Sudden cessation of normal PLC communication

SIEM Query:

source="plc_logs" AND (event_type="http_error" OR event_type="cpu_fault")

📊 Metadata

CVE ID: CVE-2020-5666

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: November 16, 2020

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/en/jp/JVN44764844/index.html Third Party Advisory
https://jvn.jp/jp/JVN44764844/index.html Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-317-01 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-015_en.pdf Mitigation,Vendor Advisory
https://jvn.jp/en/jp/JVN44764844/index.html Third Party Advisory
https://jvn.jp/jp/JVN44764844/index.html Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-317-01 Third Party Advisory,US Government Resource
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-015_en.pdf Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-5666, you might also want to check these: