CVE-2022-25161

Vulnerability

Improper input validation vulnerability (CWE-20) exists in Mitsubishi Electric MELSEC iQ-F series CPU modules, including FX5U, FX5UC, FX5UJ, and FX5S models. Affected versions: FX5U and FX5UC with serial number 17X**** or later prior to 1.270, and with serial number 179**** and prior prior to 1.073; FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS prior to 1.270; FX5UJ-xMy/z prior to 1.030; FX5UJ-xMy/ES-A prior to 1.031; FX5S-xMy/z version 1.000. The vulnerability can be triggered when the device receives specially crafted packets over the network [1][2].

Exploitation

An attacker can exploit this vulnerability remotely without authentication or user interaction. The attacker sends specially crafted packets to the affected device over the network. No special privileges or network position is required beyond network access to the target device [1][2].

Impact

Successful exploitation causes a denial-of-service (DoS) condition that disrupts normal program execution and communication. The product requires a system reset to recover. No data confidentiality or integrity impact is reported [1][2].

Mitigation

Mitsubishi Electric has released firmware updates to address this vulnerability: update FX5U/FX5UC devices to version 1.270 or later (for serial numbers 17X**** or later) or version 1.073 or later (for serial numbers 179**** and prior); update FX5UJ devices to version 1.030 or later (for standard models) or version 1.031 or later (for ES-A models); FX5S devices should be updated to a fixed version when available (currently version 1.000 is affected). Contact Mitsubishi Electric for updates. There is no known workaround; system reset is required after an attack. This vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1][2].