CVE-2022-25155
📋 TL;DR
This vulnerability allows remote unauthenticated attackers to bypass authentication on affected Mitsubishi Electric PLCs by replaying eavesdropped password hashes. It affects multiple MELSEC iQ-F, iQ-R, Q series, and L series programmable logic controllers. Attackers can gain unauthorized access to industrial control systems without needing the actual passwords.
💻 Affected Systems
- Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU
- Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU
- Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU
- Mitsubishi Electric MELSEC iQ-R series R04/08/16/32/120(EN)CPU
- Mitsubishi Electric MELSEC iQ-R series R08/16/32/120SFCPU
- Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PCPU
- Mitsubishi Electric MELSEC iQ-R series R08/16/32/120PSFCPU
- Mitsubishi Electric MELSEC iQ-R series RJ71GN11-T2
- Mitsubishi Electric MELSEC iQ-R series RJ71GN11-EIP
- Mitsubishi Electric MELSEC iQ-R series RJ71C24(-R2/R4)
- Mitsubishi Electric MELSEC iQ-R series RJ71EN71
- Mitsubishi Electric MELSEC iQ-R series RJ72GF15-T2
- Mitsubishi Electric MELSEC Q series Q03UDECPU
- Mitsubishi Electric MELSEC Q series Q04/06/10/13/20/26/50/100UDEHCPU
- Mitsubishi Electric MELSEC Q series Q03/04/06/13/26UDVCPU
- Mitsubishi Electric MELSEC Q series Q04/06/13/26UDPVCPU
- Mitsubishi Electric MELSEC Q series QJ71C24N(-R2/R4)
- Mitsubishi Electric MELSEC Q series QJ71E71-100
- Mitsubishi Electric MELSEC Q series QJ72BR15
- Mitsubishi Electric MELSEC Q series QJ72LP25(-25/G/GE)
- Mitsubishi Electric MELSEC L series L02/06/26CPU(-P)
- Mitsubishi Electric MELSEC L series L26CPU-(P)BT
- Mitsubishi Electric MELSEC L series LJ71C24(-R2)
- Mitsubishi Electric MELSEC L series LJ71E71-100
- Mitsubishi Electric MELSEC L series LJ72GF15-T2
📦 What is this software?
Fx5uc 32mr\/ds Ts Firmware by Mitsubishielectric
Fx5uc 32mt\/d Firmware by Mitsubishielectric
Fx5uc 32mt\/ds Ts Firmware by Mitsubishielectric
Fx5uc 32mt\/dss Firmware by Mitsubishielectric
Fx5uc 32mt\/dss Ts Firmware by Mitsubishielectric
Fx5uc Firmware by Mitsubishielectric
Fx5uj 24mr\/es Firmware by Mitsubishielectric
Fx5uj 24mt\/es Firmware by Mitsubishielectric
Fx5uj 24mt\/ess Firmware by Mitsubishielectric
Fx5uj 40mr\/es Firmware by Mitsubishielectric
Fx5uj 40mt\/es Firmware by Mitsubishielectric
Fx5uj 40mt\/ess Firmware by Mitsubishielectric
Fx5uj 60mr\/es Firmware by Mitsubishielectric
Fx5uj 60mt\/es Firmware by Mitsubishielectric
Fx5uj 60mt\/ess Firmware by Mitsubishielectric
Fx5uj Firmware by Mitsubishielectric
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems allowing attackers to modify PLC logic, disrupt manufacturing processes, cause physical damage to equipment, or create safety hazards in critical infrastructure.
Likely Case
Unauthorized access to PLCs enabling attackers to read sensitive industrial data, disrupt operations, or establish persistence for future attacks.
If Mitigated
Limited impact if systems are isolated from untrusted networks and proper network segmentation is implemented.
🎯 Exploit Status
Attack requires network access to eavesdrop on authentication traffic, then replaying captured hash. No authentication needed for initial attack.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf
Restart Required: No
Instructions:
No firmware patch available. Apply workarounds and network controls. Contact Mitsubishi Electric for specific guidance on affected systems.
🔧 Temporary Workarounds
Network Segmentation
allIsolate affected PLCs from untrusted networks using firewalls and VLANs
Encrypted Communication
allUse encrypted communication protocols (VPN, TLS) for all PLC network traffic
Access Control Lists
allImplement strict network access controls to limit connections to PLCs
🧯 If You Can't Patch
- Implement network segmentation to isolate PLCs from untrusted networks
- Monitor network traffic for authentication attempts and hash replay attacks
- Use VPNs or encrypted tunnels for all remote access to PLCs
- Implement strict firewall rules allowing only necessary connections
- Consider physical isolation of critical systems
🔍 How to Verify
Check if Vulnerable:
Check if you have any of the affected Mitsubishi Electric MELSEC PLC models listed in the advisoryCheck Version:
Check PLC model and firmware version through engineering software (MELSOFT products)Verify Fix Applied:
Verify network segmentation and encryption controls are properly implemented📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts followed by successful login
- Authentication from unexpected IP addresses
- Authentication attempts using same hash value
Network Indicators:
- Repeated authentication packets with identical hash values
- Network sniffing/traffic capture on PLC communication ports
- Unauthorized access to PLC programming ports
SIEM Query:
Search for authentication events on PLC IP addresses with repeated hash values or from unauthorized sources🔗 References
- https://jvn.jp/vu/JVNVU96577897/index.html
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf
- https://jvn.jp/vu/JVNVU96577897/index.html
- https://www.cisa.gov/uscert/ics/advisories/icsa-22-090-04
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-031_en.pdf
