CVE-2021-20592
📋 TL;DR
A missing synchronization vulnerability in Mitsubishi Electric GOT2000 series and GT SoftGOT2000 allows remote unauthenticated attackers to cause a denial-of-service condition by rapidly connecting and disconnecting to the MODBUS/TCP communication port. Affected systems include GOT2000 series GT27, GT25, and GT23 models, as well as GT SoftGOT2000 software installations.
💻 Affected Systems
- GOT2000 series GT27 model
- GOT2000 series GT25 model
- GOT2000 series GT23 model
- GT SoftGOT2000
📦 What is this software?
Got2000 Gt23 Firmware by Mitsubishielectric
Got2000 Gt25 Firmware by Mitsubishielectric
Got2000 Gt27 Firmware by Mitsubishielectric
Gt Softgot2000 by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service requiring physical restart or reset of the industrial control system, disrupting operations until manual intervention.
Likely Case
Temporary disruption of MODBUS/TCP communication functions, affecting industrial process monitoring and control until system restart.
If Mitigated
Limited impact with proper network segmentation and access controls preventing unauthorized access to MODBUS/TCP ports.
🎯 Exploit Status
Simple connection flooding attack requiring only network access to MODBUS/TCP port (typically TCP 502).
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to communication driver versions newer than 01.39.010 for GOT2000 series; GT SoftGOT2000 versions newer than 1.256S
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-007_en.pdf
Restart Required: Yes
Instructions:
1. Download updated firmware/software from Mitsubishi Electric support portal. 2. Follow vendor-specific update procedures for GOT2000 series or GT SoftGOT2000. 3. Restart affected systems after update.
🔧 Temporary Workarounds
Network Segmentation
allIsolate MODBUS/TCP communication to trusted networks only
Firewall Rules
allRestrict access to TCP port 502 (MODBUS/TCP) to authorized systems only
🧯 If You Can't Patch
- Implement strict network access controls to limit MODBUS/TCP port access to trusted systems only
- Deploy network monitoring and intrusion detection for abnormal connection patterns to MODBUS/TCP port
🔍 How to Verify
Check if Vulnerable:
Check communication driver version on GOT2000 devices or GT SoftGOT2000 software version against affected rangesCheck Version:
Check version through device/system configuration interface (vendor-specific)Verify Fix Applied:
Verify communication driver version is newer than 01.39.010 for GOT2000 or software version newer than 1.256S for GT SoftGOT2000📡 Detection & Monitoring
Log Indicators:
- Rapid connection/disconnection attempts to MODBUS/TCP port
- MODBUS/TCP communication failures
- System restart events
Network Indicators:
- High frequency TCP connections to port 502 from single source
- Abnormal MODBUS/TCP traffic patterns
SIEM Query:
source_port=502 AND (event_count > 1000 per minute) OR (connection_duration < 1s AND connection_count > 500)