VYPR
← All advisories
Unrated severityNVD Advisory· Published Dec 1, 2021· Updated Aug 3, 2024

CVE-2021-20611

CVE-2021-20611

Description

Improper input validation in multiple Mitsubishi Electric MELSEC and MELIPC series allows remote unauthenticated attackers to cause a denial-of-service (DoS) condition, requiring a system reset for recovery.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Improper input validation in multiple Mitsubishi Electric MELSEC and MELIPC series allows remote unauthenticated attackers to cause a denial-of-service (DoS) condition, requiring a system reset for recovery.

Vulnerability

An improper input validation vulnerability exists in the Ethernet port of multiple Mitsubishi Electric MELSEC and MELIPC series CPU modules and industrial computers. The affected products include MELSEC iQ-R Series R00/01/02CPU (firmware version 24 and prior), R04/08/16/32/120(EN)CPU (firmware version 57 and prior), R08/16/32/120SFCPU (firmware version 26 and prior), R08/16/32/120PCPU (firmware version 29 and prior), R08/16/32/120PSFCPU (firmware version 08 and prior), R16/32/64MTCPU (OS software version 23 and prior), R12CCPU-V (firmware version 16 and prior); MELSEC Q Series Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU (serial number first 5 digits 23121 and prior), Q03/04/06/13/26UDVCPU (serial number first 5 digits 23071 and prior), Q04/06/13/26UDPVCPU (serial number first 5 digits 23071 and prior), Q12DCCPU-V, Q24DHCCPU-V(G), Q24/26DHCCPU-LS (serial number first 5 digits 24031 and prior), MR-MQ100 (OS software version F and prior), Q172/173DCPU-S1 (OS software version W and prior), Q172/173DSCPU (OS software version Y and prior), Q170MCPU (OS software version W and prior), Q170MSCPU(-S1) (OS software version Y and prior); MELSEC L Series L02/06/26CPU(-P), L26CPU-(P)BT (serial number first 5 digits 23121 and prior); and MELIPC Series MI5122-VW (firmware version 05 and prior) [1][2]. The vulnerability occurs when specially crafted packets are sent to the device's Ethernet port, due to improper validation of input data.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending specially crafted packets to the affected device's Ethernet port [1][2]. No user interaction or special network position beyond network access is required. The attack complexity is low, as the attacker only needs to send malformed packets to trigger the vulnerability [2].

Impact

Successful exploitation causes a denial-of-service (DoS) condition on the targeted device [1][2]. The device becomes unresponsive and requires a system reset (power cycle) to recover normal operation [2]. The impact is limited to availability, with no compromise of confidentiality or integrity described in the available references.

Mitigation

Mitsubishi Electric has released firmware updates for affected products; users should apply the latest firmware versions as specified in the vendor's advisory [1][2]. For MELSEC Q and L series products identified by serial number, users should update to a serial number later than the affected range. For products identified by OS software version, users should update to a version later than the affected version. If firmware updates cannot be applied immediately, Mitsubishi Electric recommends restricting network access to the affected devices using firewalls or VPNs, and blocking unauthorized access [2]. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

References
  1. JVNVU#94434051: 三菱電機製MELSECおよびMELIPCシリーズのEthernetポートにおける複数の脆弱性
  2. Mitsubishi Electric MELSEC and MELIPC Series (Update G) | CISA

AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

71
  • Mitsubishielectric/MELSEC-Q Seriesllm-fuzzy18 versions
    (expand)+ 17 more
    • (no CPE)
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: Operating system software version "F" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "24031" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishielectric/MELSEC iQ-R Seriesllm-fuzzy30 versions
    (expand)+ 29 more
    • (no CPE)
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "24" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "16" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Operating system software version "23" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Firmware versions "57" and prior
    • (no CPE)range: Operating system software version "23" and prior
    • (no CPE)range: Firmware versions "29" and prior
    • (no CPE)range: Firmware versions "08" and prior
    • (no CPE)range: Firmware versions "26" and prior
    • (no CPE)range: Operating system software version "23" and prior
  • Mitsubishielectric/MELIPC Series MI5122-VWcpe-rescue
    Range: Firmware versions "05" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L02CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L06CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-BTv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-Pv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishi Electric Corporation/MELSEC L Series L26CPU-PBTv5
    Range: The first 5 digits of serial No. "23121" and prior
  • Mitsubishielectric/MELSEC-Q Series Q03UDVCPUcpe-rescue17 versions
    The first 5 digits of serial No. "23121" and prior+ 16 more
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23121" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: Operating system software version "W" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: Operating system software version "Y" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior
    • (no CPE)range: The first 5 digits of serial No. "23071" and prior

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.