Denial of Service (DoS) Vulnerability in MELSEC iQ-R Series Ethernet Interface Module

Vulnerability

An improper input validation vulnerability (CWE-20) exists in the Ethernet interface unit of Mitsubishi Electric MELSEC iQ-R Series. Affected firmware versions are "65" and prior for both the RJ71EN71 module and the network part of R04/08/16/32/120ENCPU CPUs. The vulnerability allows a remote unauthenticated attacker to cause a denial-of-service (DoS) condition by sending specially crafted packets to the device [1].

Exploitation

An attacker needs network connectivity to the target device. No authentication or prior access is required. By sending a sequence of specially crafted packets to the Ethernet interface, the attacker triggers the input validation flaw, causing the device to enter a DoS state [1].

Impact

Successful exploitation results in a denial-of-service condition that renders the device non-functional. Recovery requires a manual system reset (power cycle or hardware reset). There is no indication of data compromise, privilege escalation, or code execution; the impact is limited to availability loss [1].

Mitigation

The vendor has released firmware version "66" for both the RJ71EN71 and the R04/08/16/32/120ENCPU network part, which addresses the vulnerability. Users should update to firmware version "66" or later via the Mitsubishi Electric FA download site. As a workaround, when connecting the device to the Internet, deploy a firewall or use a virtual private network (VPN) to reduce exposure [1].