CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.0%
MELSEC iQ-R series CPU modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability (CWE-400).
According to the developer, in case of “To Use or Not to Use Web Server Settings” in the parameter of CPU modules are set to “Not Use”, this issue does not occur. (The default setting is “Not Use”.)
When the CPU module receives a specially crafted HTTP packet from a remote attacker, a denial-of-service (DoS) condition may be caused on the product’s program execution and communication.
Note that a reset is required for recovery.
Update the software
Apply the appropriate update according to the information provided by the developer.
According to the developer, this vulnerability is fixed in following firmware versions.
R00/01/02CPU firmware versions “20” and later
R04/08/16/32/120(EN)CPU firmware versions “52” and later
Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
If Web Server function is not in use, set “Not Use” for “To Use or Not to Use Web Server Settings”
Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when accessing the Internet
Use the product within a trusted LAN and block access from untrusted networks and hosts by using firewalls
The following MELSEC iQ-R series CPU modules are affected.
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
83.0%