CVE-2019-13555

Vulnerability

The vulnerability resides in the FTP server function of Mitsubishi Electric MELSEC-Q Series (Q03/04/06/13/26UDVCPU, Q04/06/13/26UDPVCPU, Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU) with serial number 21081 and prior, and MELSEC-L Series (L02/06/26CPU, L26CPU-BT, L02/06/26CPU-P, L26CPU-PBT, L02/06/26CPU-CM, L26CPU-BT-CM) with serial number 21101 and prior [1]. It is an uncontrolled resource consumption (CWE-400) issue that triggers a denial-of-service condition dependent on the timing at which a remote attacker connects to the FTP server.

Exploitation

An attacker with network access to the affected CPU module's FTP server can trigger the vulnerability by connecting at a precise timing. No authentication or user interaction is required; the attack can be executed remotely with low skill level [1]. The exact timing window is not publicly detailed, but the condition is only reached when the attacker's connection attempt coincides with a specific internal state of the FTP server.

Impact

Successful exploitation causes the FTP service to enter a denial-of-service state, preventing any further FTP client connections to the CPU module [1]. The CPU module's control logic and other services remain unaffected; only the FTP server function is disrupted. The CVSS v3 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating a high availability impact with no confidentiality or integrity impact [1].

Mitigation

Mitsubishi Electric has produced a new version of the firmware to address the vulnerability. Affected users should contact their local Mitsubishi Electric representative to obtain the updated firmware [1]. No workaround is documented, and the vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.