CVE-2022-25163 – This vulnerability allows remote unauthenticate... (How to Fix)

Q: What is the severity of CVE-2022-25163?

CVE-2022-25163 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows remote unauthenticated attackers to send specially crafted packets to Mitsubishi Electric PLCs, potentially causing denial of service or executing arbitrary code. Affected systems include specific MELSEC-Q, MELSEC-L, and MELSEC iQ-R series modules with vulnerable firmware versions or serial numbers.

📋 TL;DR

This vulnerability allows remote unauthenticated attackers to send specially crafted packets to Mitsubishi Electric PLCs, potentially causing denial of service or executing arbitrary code. Affected systems include specific MELSEC-Q, MELSEC-L, and MELSEC iQ-R series modules with vulnerable firmware versions or serial numbers.

💻 Affected Systems

Products:

Mitsubishi Electric MELSEC-Q Series QJ71E71-100
Mitsubishi Electric MELSEC-L series LJ71E71-100
Mitsubishi Electric MELSEC iQ-R Series RD81MES96N

Versions: Firmware version '08' or prior for RD81MES96N; serial numbers starting with '24061' or prior for QJ71E71-100 and LJ71E71-100

Operating Systems: Embedded PLC firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Affects specific serial number ranges and firmware versions; requires network access to the vulnerable modules.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, manipulation of industrial processes, or permanent device damage.

🟠

Likely Case

Denial of service causing PLCs to crash or become unresponsive, disrupting industrial operations.

🟢

If Mitigated

Limited impact if devices are behind firewalls with strict network segmentation and packet filtering.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation possible from any internet-connected attacker.

🏢 Internal Only: HIGH - Even internally, unauthenticated network access could lead to exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted packets but no authentication; complexity is low due to unauthenticated nature.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware updates available from Mitsubishi Electric; specific version varies by product

Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-006_en.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Mitsubishi Electric support site. 2. Apply update following vendor instructions. 3. Restart affected PLC modules. 4. Verify firmware version post-update.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate PLCs on separate network segments with strict firewall rules.

Access Control Lists

all

Implement ACLs to restrict network access to PLCs only from authorized IP addresses.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to block all unnecessary traffic to PLCs.
Monitor network traffic for anomalous packets and implement intrusion detection systems.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via Mitsubishi Electric programming software (e.g., GX Works) or serial number on device label.

Check Version:

Use Mitsubishi Electric configuration software to read firmware version from PLC.

Verify Fix Applied:

Verify firmware version is updated beyond vulnerable versions using vendor tools.

📡 Detection & Monitoring

Log Indicators:

PLC crash logs, abnormal restart events, or communication errors in industrial control system logs

Network Indicators:

Unusual packets to PLC ports (typically TCP/UDP ports used by MELSEC protocols), spikes in network traffic to PLCs

SIEM Query:

source="plc_logs" AND (event_type="crash" OR event_type="restart") OR dest_ip="PLC_IP" AND packet_size>threshold

📊 Metadata

CVE ID: CVE-2022-25163

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://jvn.jp/vu/JVNVU92561747/index.html Third Party Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-006_en.pdf Vendor Advisory
https://jvn.jp/vu/JVNVU92561747/index.html Third Party Advisory
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2022-006_en.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-25163, you might also want to check these: