CVE-2021-20597 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2021-20597?

CVE-2021-20597 has a CVSS score of 9.1 (CRITICAL). This vulnerability allows remote unauthenticated attackers to capture credentials transmitted in plaintext during user registration or password changes on affected Mitsubishi Electric industrial control systems. Attackers can then use these credentials to gain unauthorized access to safety-critical PLCs. Organizations using the specified MELSEC iQ-R series Safety CPU and SIL2 Process CPU modules with vulnerable firmware are affected.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to capture credentials transmitted in plaintext during user registration or password changes on affected Mitsubishi Electric industrial control systems. Attackers can then use these credentials to gain unauthorized access to safety-critical PLCs. Organizations using the specified MELSEC iQ-R series Safety CPU and SIL2 Process CPU modules with vulnerable firmware are affected.

💻 Affected Systems

Products:

Mitsubishi Electric MELSEC iQ-R series Safety CPU modules R08/16/32/120SFCPU
Mitsubishi Electric MELSEC iQ-R series SIL2 Process CPU modules R08/16/32/120PSFCPU

Versions: Safety CPU: firmware versions '26' and prior; SIL2 Process CPU: firmware versions '11' and prior

Operating Systems: Not applicable - embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists when registering user information or changing passwords. Affects both safety-critical and process control systems in industrial environments.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of safety-critical industrial control systems, allowing attackers to manipulate safety functions, disrupt operations, cause physical damage, or create hazardous conditions in industrial environments.

🟠

Likely Case

Unauthorized access to PLCs enabling attackers to read/write program logic, modify configurations, disrupt industrial processes, or establish persistence in OT networks.

🟢

If Mitigated

Limited impact if systems are air-gapped, network segmentation prevents credential sniffing, and strong authentication controls are in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network sniffing capability but no authentication. Credentials are transmitted in plaintext during specific operations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safety CPU: firmware version '27' or later; SIL2 Process CPU: firmware version '12' or later

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-009_en.pdf

Restart Required: Yes

Instructions:

1. Download updated firmware from Mitsubishi Electric support portal. 2. Backup current configuration and program. 3. Update firmware using engineering software (MELSOFT). 4. Verify firmware version after update. 5. Restart affected CPU modules.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLCs in separate network segments to prevent credential sniffing from untrusted networks.

Disable Remote User Management

all

Configure systems to only allow user registration and password changes via local engineering stations, not over network.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to prevent unauthorized access to affected PLCs
Monitor network traffic for credential sniffing attempts and unauthorized access patterns

🔍 How to Verify

Check if Vulnerable:

Check firmware version via engineering software (MELSOFT) or CPU module display. Safety CPU versions '26' or earlier and SIL2 Process CPU versions '11' or earlier are vulnerable.

Check Version:

Use MELSOFT engineering software to read CPU module firmware version

Verify Fix Applied:

Confirm firmware version is Safety CPU '27' or later or SIL2 Process CPU '12' or later using engineering software.

📡 Detection & Monitoring

Log Indicators:

Multiple failed login attempts followed by successful login
User account creation or password changes from unexpected sources
Network traffic showing plaintext credential transmission

Network Indicators:

Sniffing tools on network segments containing PLCs
Unauthorized access attempts to CPU modules
Plaintext protocol analysis showing credential exposure

SIEM Query:

source_ip IN (PLC_network) AND (event_type='authentication' AND result='success' AFTER multiple_failures) OR (protocol_analysis LIKE '%password%' OR '%credential%')

📊 Metadata

CVE ID: CVE-2021-20597

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-522

Published: August 6, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU98578731/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-250-01
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-009_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU98578731/index.html Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-250-01
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-009_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20597, you might also want to check these: