Information Disclosure Vulnerability in MELSEC Series
Description
Mitsubishi MELSEC iQ-F, iQ-R, Q, L series store credentials in plaintext in project files, allowing remote unauthenticated attackers to log into FTP/web servers.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Mitsubishi MELSEC iQ-F, iQ-R, Q, L series store credentials in plaintext in project files, allowing remote unauthenticated attackers to log into FTP/web servers.
Vulnerability
The vulnerability exists across multiple Mitsubishi MELSEC series, including iQ-F, iQ-R, Q, and L series, across all versions. Project files contain FTP and web server credentials stored in plaintext (CWE-256) [1][2]. An attacker does not require authentication to obtain these files if they can access the project file via network or physical means.
Exploitation
An unauthenticated remote attacker can obtain a project file (e.g., through insecure file sharing or network sniffing) and extract plaintext credentials [1]. With these credentials, the attacker can then log into the FTP or web server of the affected PLC.
Impact
Successful exploitation allows the attacker to log into the FTP server or web server of the device [2], potentially enabling unauthorized file transfers, configuration changes, or further network compromise. The credentials are disclosed in plaintext, violating confidentiality.
Mitigation
As of the publication date, no patched firmware versions have been released. Mitigations include encrypting project files and communication data, and restricting network access via firewalls [1]. Users should follow the workarounds provided in the JVN advisory.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
113(expand)+ 9 more
- (no CPE)
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
(expand)+ 27 more
- (no CPE)
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
all versions+ 49 more
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MR/DS-TSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSS-TSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DS-TSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-64MT/DSSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-96MT/DSSv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series L02CPU-Pv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series L06CPU-Pv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series L26CPU-BTv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series L26CPU-Pv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series L26CPU-PBTv5Range: all versions
- Mitsubishi Electric Corporation/MELSEC-L Series LJ71E71-100v5Range: all versions
all versions+ 12 more
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
- (no CPE)range: all versions
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.