CVE-2020-5531
Description
Multiple TCP/IP stack vulnerabilities (URGENT/11) in Mitsubishi Electric MELSEC C Controller and MELIPC Series allow remote denial of service and potential code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Multiple TCP/IP stack vulnerabilities (URGENT/11) in Mitsubishi Electric MELSEC C Controller and MELIPC Series allow remote denial of service and potential code execution.
Vulnerability
CVE-2020-5531 encompasses multiple vulnerabilities in the TCP/IP function (IPnet) of VxWorks, known as "URGENT/11," affecting Mitsubishi Electric MELSEC C Controller Modules and MELIPC Series MI5000. The affected products include Q24DHCCPU-V and Q24DHCCPU-VG (serial numbers 21121 or before), R12CCPU-V (serial numbers 11 or before), RD55UP06-V (serial numbers 08 or before), and MI5122-VW (serial numbers 03 or before or firmware version 03 or before). These vulnerabilities are triggered via the Ethernet ports (CH1, CH2) and include buffer errors, session fixation, NULL pointer dereference, improper access control, argument injection, and resource management issues [1].
Exploitation
An unauthenticated remote attacker can exploit these vulnerabilities by sending specially crafted network packets to the affected Ethernet ports. No prior authentication or special network position is required; the attacker only needs network connectivity to the device. The specific attack vectors vary per vulnerability but generally involve manipulating TCP/IP packets to trigger memory corruption, denial of service, or code execution [1].
Impact
Successful exploitation can lead to denial of service (device crash or hang) and potentially allow the attacker to execute arbitrary code or malware on the device. This could result in full compromise of the controller, enabling disruption of industrial processes, data theft, or further lateral movement within the network. The impact is severe due to the critical role of these controllers in automation systems [1].
Mitigation
Mitsubishi Electric advises users to update to hardware with serial numbers later than the affected ranges or apply firmware updates as specified in their advisory. For MI5122-VW, firmware version 04 or later is recommended. Users should contact Mitsubishi Electric for specific patch availability and follow their guidance. No workaround is provided; network segmentation and access controls can reduce exposure but do not eliminate the risk [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
4- Range: serial number constraints per model (see description)
- Range: serial number constraints per model (R12CCPU-V serial 11 or before, RD55UP06-V serial 08 or before)
- Range: firmware version 03 or before; serial number constraints per model
- Mitsubishi Electric Corporation/Mitsubishi Electric MELSEC C Controller Module and MELIPC Series MI5000v5Range: MELSEC-Q Series C Controller Module(Q24DHCCPU-V, Q24DHCCPU-VG User Ethernet port (CH1, CH2): First 5 digits of serial number 21121 or before), MELSEC iQ-R Series C Controller Module / C Intelligent Function Module(R12CCPU-V Ethernet port (CH1, CH2): First 2 digits of serial number 11 or before, and RD55UP06-V Ethernet port: First 2 digits of serial number 08 or before), and MELIPC Series MI5000(MI5122-VW Ethernet port (CH1): First 2 digits of serial number 03 or before, or the firmware version 03 or before)
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
2- jvn.jp/en/vu/JVNVU95424547/index.htmlmitrex_refsource_MISC
- www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2019-003_en.pdfmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.