CVE-2022-24946

Vulnerability

An improper resource locking vulnerability exists in the Ethernet communication handling of Mitsubishi Electric MELSEC iQ-R Series R12CCPU-V (firmware version 16 and prior), MELSEC-Q Series (various models with specific serial number ranges), MELSEC-L Series (serial numbers 24051 and prior), and MELIPC Series MI5122-VW (firmware version 05 and prior) [1][2]. The flaw occurs when the device processes specially crafted packets, leading to a locked resource that prevents further Ethernet communication.

Exploitation

An attacker can exploit this vulnerability remotely without authentication by sending specially crafted packets to the Ethernet interface of the affected device [1][2]. No user interaction or special network position is required beyond network access to the device.

Impact

Successful exploitation causes a denial-of-service (DoS) condition affecting Ethernet communication on the target device [1][2]. Normal operation cannot resume without a system reset (power cycle or hardware reset) of the affected product [1].

Mitigation

Mitsubishi Electric has not released firmware updates for all affected product lines as of the publication date [2]. Users should refer to the vendor advisory [1] and CISA advisory [2] for the latest information. Recommended mitigations include restricting network access to the affected devices, implementing firewall rules, and contacting Mitsubishi Electric support for available firmware updates [2].