Positive Technologies has revealed five critical vulnerabilities within Mitsubishi Electric’s MELSEC System Q and MELSEC System L series PLC processor modules. These modules, extensively utilized across industries such as chemical, semiconductor, and building automation, are pivotal components in industrial control systems (ICS). With Mitsubishi Electric being one of the leading manufacturers of industrial controllers globally, with over 17 million compact PLCs produced, the impact of these vulnerabilities could be significant.
The vulnerabilities, identified as CVE-2024-0802, CVE-2024-0803, CVE-2024-1915, CVE-2024-1916, and CVE-2024-1917, all hold a critical severity rating under the Common Vulnerability Scoring System (CVSS) 3.0, scoring 9.8. Anton Dorfman, Principal Firmware Security Researcher at Positive Technologies, who unearthed these vulnerabilities, underscores the severity, labeling them as remote code execution (RCE) threats. Attackers, leveraging these vulnerabilities, can potentially gain complete control over Mitsubishi Electric PLCs and the associated ICS resources, enabling manipulation of control application programs and posing risks of disruptions in critical industries such as chemical, oil and gas.
According to monitoring data from Positive Technologies, over 200 vulnerable Mitsubishi Electric MELSEC System Q controllers have been detected via specialized online search engines. Predominantly found in Japan (56%), followed by the U.S. (6%), China (5.5%), and other countries, these controllers are susceptible to exploitation due to configuration errors. However, the actual count of vulnerable controllers might surpass the detected figures.
To mitigate the risk of exploitation, Mitsubishi Electric advises implementing firewall and VPN solutions, alongside restricting physical access to controllers, workstations, and network devices interacting with the PLCs. Furthermore, Positive Technologies recommends the utilization of PT Industrial Security Incident Manager (PT ISIM), an advanced industrial traffic analysis system capable of detecting and thwarting attempts to exploit ICS vulnerabilities. PT ISIM specializes in recognizing communication protocols of Mitsubishi Electric MELSEC controllers, scrutinizing commands, and alerting security teams to any suspicious activities or incidents.
This revelation follows Positive Technologies’ prior collaboration with Mitsubishi Electric in rectifying vulnerabilities within FX controllers and engineering software in 2022. The research findings were also presented at Nullcon 2023, underlining the commitment to enhancing industrial cybersecurity and safeguarding critical infrastructure.
