CVE-2024-1915
📋 TL;DR
A remote code execution vulnerability in Mitsubishi Electric MELSEC-Q and MELSEC-L Series CPU modules allows unauthenticated attackers to execute arbitrary malicious code by sending specially crafted packets. This affects industrial control systems using these programmable logic controllers, potentially compromising critical infrastructure operations.
💻 Affected Systems
- Mitsubishi Electric MELSEC-Q Series CPU modules
- Mitsubishi Electric MELSEC-L Series CPU modules
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to physical damage, production shutdowns, safety system manipulation, or data exfiltration from operational technology networks.
Likely Case
Disruption of industrial processes, unauthorized control of machinery, data manipulation, or lateral movement into corporate IT networks from OT environments.
If Mitigated
Limited impact if systems are air-gapped with proper network segmentation, though risk remains from insider threats or compromised maintenance systems.
🎯 Exploit Status
Remote unauthenticated exploitation via network packets; CVSS 9.8 indicates trivial exploitation with high impact
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Refer to Mitsubishi Electric advisory 2023-024 for specific firmware versions
Vendor Advisory: https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-024_en.pdf
Restart Required: Yes
Instructions:
1. Download updated firmware from Mitsubishi Electric support portal. 2. Backup current configuration and program. 3. Apply firmware update following vendor instructions. 4. Restart PLC. 5. Verify functionality.
🔧 Temporary Workarounds
Network segmentation and firewall rules
allIsolate PLCs from untrusted networks using firewalls and VLANs
Disable unnecessary network services
allTurn off unused communication protocols and ports on PLCs
🧯 If You Can't Patch
- Implement strict network access controls allowing only trusted IP addresses to communicate with PLCs
- Deploy intrusion detection systems monitoring for anomalous traffic patterns to PLCs
🔍 How to Verify
Check if Vulnerable:
Check firmware version against vulnerable versions listed in Mitsubishi advisory 2023-024Check Version:
Use Mitsubishi GX Works3 or similar engineering software to read CPU module firmware versionVerify Fix Applied:
Verify firmware version matches patched versions in vendor advisory and test communication functionality📡 Detection & Monitoring
Log Indicators:
- Unusual network connections to PLC ports
- Multiple failed connection attempts followed by successful connection
- Anomalous packet patterns to PLC communication ports
Network Indicators:
- Malformed packets to PLC communication ports (typically TCP/UDP ports used by MELSEC protocol)
- Traffic from unexpected source IPs to PLCs
- Unusual payload sizes in PLC communications
SIEM Query:
source_ip NOT IN (trusted_ips) AND dest_port IN (plc_ports) AND protocol IN (tcp, udp)🔗 References
- https://jvn.jp/vu/JVNVU99690199/
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-024_en.pdf
- https://jvn.jp/vu/JVNVU99690199/
- https://www.cisa.gov/news-events/ics-advisories/icsa-24-074-14
- https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-024_en.pdf
