VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 1, 2021· Updated Aug 3, 2024

CVE-2021-20609

CVE-2021-20609

Description

Uncontrolled resource consumption in Mitsubishi Electric MELSEC and MELIPC series allows remote unauthenticated attackers to cause denial-of-service via specially crafted packets.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Uncontrolled resource consumption in Mitsubishi Electric MELSEC and MELIPC series allows remote unauthenticated attackers to cause denial-of-service via specially crafted packets.

Vulnerability

The vulnerability is an uncontrolled resource consumption (CWE-400) in the Ethernet port handling of multiple Mitsubishi Electric MELSEC iQ-R, Q, L series CPU modules and MELIPC MI5122-VW. Affected firmware versions are listed per model: e.g., R00/01/02CPU firmware up to 24, R04/08/16/32/120(EN)CPU up to 57, etc. For Q series, serial number prefixes determine affected units. The issue is triggered when the device processes specially crafted network packets without proper resource limits [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication. The attack complexity is low. The attacker sends specially crafted packets to the Ethernet port of the affected device. No user interaction or special network position is required beyond network access to the device [1][2].

Impact

Successful exploitation causes a denial-of-service (DoS) condition, rendering the device unresponsive. Recovery requires a system reset (power cycle or hardware reset). The availability of the device is compromised; no data integrity or confidentiality impact is reported [1][2].

Mitigation

Mitsubishi Electric has released firmware updates for affected products. Refer to the vendor advisory for specific fixed versions. For iQ-R series, firmware updates are available; for Q and L series, updating to later serial numbers or OS versions is recommended. The CISA advisory (ICSMA-21-334-02) provides details. No workarounds are mentioned; network segmentation and access controls can reduce exposure. The vulnerability is not listed on CISA KEV as of the publication date [1][2].

References
  1. JVNVU#94434051: 三菱電機製MELSECおよびMELIPCシリーズのEthernetポートにおける複数の脆弱性
  2. Mitsubishi Electric MELSEC and MELIPC Series (Update G) | CISA

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

72
  • Mitsubishielectric/MELSEC-Q Seriesllm-fuzzy18 versions
    (expand)+ 17 more
    • (no CPE)
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: Operating system software version "F" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishielectric/MELIPC Series MI5122-VWllm-fuzzy2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)range: Firmware versions "05" and prior
  • Mitsubishielectric/MELSEC iQ-R Seriesllm-fuzzy30 versions
    (expand)+ 29 more
    • (no CPE)
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "16" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Operating system software version "23" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Operating system software version "23" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Operating system software version "23" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L02CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L06CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-BTv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-PBTv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishielectric/MELSEC-Q Series Q03UDVCPUcpe-rescue17 versions
    The first 5 digits of serial No. "23121" and prior+ 16 more
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.