CVE-2021-20600

Vulnerability

An uncontrolled resource consumption vulnerability (CWE-400) exists in the Mitsubishi Electric MELSEC iQ-R Series C Controller Module R12CCPU-V. Affected firmware versions are "16" and prior [1][2]. The bug is triggered only while the module is starting up; if a large number of packets are received in a short time during that window, the system watchdog timer (WDT) error fires and the module fails to boot [1]. Normal operation after startup is not impacted [1].

Exploitation

An attacker needs network access to the C Controller Module. No authentication is required [2]. The attacker must send a high volume of packets to the module within a short period while the module is in its startup phase [1]. The exact packet rate and timing required to trigger the WDT error are not publicly detailed [1][2]. The exploitation window is limited to the boot sequence; once the module has fully started, the same packet flood does not cause the condition [1].

Impact

Successful exploitation causes a denial-of-service (DoS) condition: the C Controller Module does not complete startup and becomes unavailable [1][2]. Recovery requires a physical system reset of the module [1]. The integrity and confidentiality of data are not directly compromised [2].

Mitigation

Mitsubishi Electric has released firmware version "17" to address the vulnerability [1][2]. Users should update to version "17" or later. As a workaround, if a System WDT error occurs at startup, Mitsubishi Electric advises disconnecting the LAN cable from the module before performing a system reset [2]. No known public exploitation (KEV listing) has been reported as of the publication date.