CVE-2021-20599 – This vulnerability in Mitsubishi Electric MELSE... (How to Fix)

Q: What is the severity of CVE-2021-20599?

CVE-2021-20599 has a CVSS score of 9.1 (CRITICAL). This vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety and SIL2 Process CPUs allows remote unauthenticated attackers to obtain credentials and login to industrial control system modules. It affects specific firmware versions of these programmable logic controllers (PLCs) used in industrial automation and safety-critical systems.

📋 TL;DR

This vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety and SIL2 Process CPUs allows remote unauthenticated attackers to obtain credentials and login to industrial control system modules. It affects specific firmware versions of these programmable logic controllers (PLCs) used in industrial automation and safety-critical systems.

💻 Affected Systems

Products:

MELSEC iQ-R series Safety CPU R08SFCPU
MELSEC iQ-R series Safety CPU R16SFCPU
MELSEC iQ-R series Safety CPU R32SFCPU
MELSEC iQ-R series Safety CPU R120SFCPU
MELSEC iQ-R series SIL2 Process CPU R08PSFCPU
MELSEC iQ-R series SIL2 Process CPU R16PSFCPU
MELSEC iQ-R series SIL2 Process CPU R32PSFCPU
MELSEC iQ-R series SIL2 Process CPU R120PSFCPU

Versions: Safety CPU firmware versions 26 and prior, SIL2 Process CPU firmware versions 11 and prior

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Safety CPUs (used in safety-critical applications) and SIL2 Process CPUs (used in safety instrumented systems).

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems allowing attackers to modify safety-critical processes, disrupt operations, or cause physical damage to equipment and personnel.

🟠

Likely Case

Unauthorized access to PLCs enabling attackers to read/write program logic, manipulate industrial processes, or establish persistence in industrial networks.

🟢

If Mitigated

Limited impact if proper network segmentation, access controls, and monitoring prevent unauthorized network access to affected devices.

🌐 Internet-Facing: HIGH - Devices exposed to internet are trivially exploitable by unauthenticated attackers.

🏢 Internal Only: HIGH - Even internally, any network-accessible device can be exploited without authentication.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the CPU module but no authentication. The vulnerability involves cleartext transmission of sensitive information that can be intercepted.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Safety CPU firmware version 27 or later, SIL2 Process CPU firmware version 12 or later

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf

Restart Required: Yes

Instructions:

1. Download updated firmware from Mitsubishi Electric website. 2. Backup current program and configuration. 3. Update firmware using engineering software (MELSOFT). 4. Restart CPU module. 5. Verify firmware version and restore program if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLCs in separate network segments with strict firewall rules

Access Control Lists

all

Implement network ACLs to restrict access to CPU modules only from authorized engineering stations

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to prevent any unauthorized access to affected devices
Deploy network monitoring and intrusion detection specifically for industrial protocols and PLC communications

🔍 How to Verify

Check if Vulnerable:

Check firmware version in MELSOFT engineering software or via CPU module status indicators

Check Version:

Use MELSOFT GX Works3 or similar engineering software to read CPU module firmware version

Verify Fix Applied:

Confirm firmware version is Safety CPU 27+ or SIL2 Process CPU 12+ using engineering software

📡 Detection & Monitoring

Log Indicators:

Unauthorized login attempts to CPU modules
Unexpected firmware read/write operations
Multiple failed authentication attempts followed by successful login

Network Indicators:

Cleartext credential transmission on network
Unauthorized IP addresses accessing PLC ports
Unusual patterns in MELSEC protocol communications

SIEM Query:

source="plc_logs" AND (event_type="authentication" AND result="success" AND user!="authorized_user") OR (protocol="MELSEC" AND direction="inbound" AND src_ip NOT IN allowed_ips)

📊 Metadata

CVE ID: CVE-2021-20599

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-319

Published: October 14, 2021

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU98578731 Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU98578731 Third Party Advisory
https://www.cisa.gov/uscert/ics/advisories/icsa-21-287-03
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-011_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20599, you might also want to check these: