VYPR
← All advisories
Unrated severityNVD Advisory· Published Nov 6, 2023· Updated Feb 27, 2025

Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC Series CPU module

CVE-2023-4625

Description

Mitsubishi Electric MELSEC iQ-F/iQ-R Series CPU modules' web server function lacks rate limiting on login attempts, allowing a remote unauthenticated attacker to cause a denial-of-service by locking out legitimate users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Mitsubishi Electric MELSEC iQ-F/iQ-R Series CPU modules' web server function lacks rate limiting on login attempts, allowing a remote unauthenticated attacker to cause a denial-of-service by locking out legitimate users.

Vulnerability

An improper restriction of excessive authentication attempts vulnerability (CWE-307) exists in the web server function of Mitsubishi Electric MELSEC iQ-F and iQ-R Series CPU modules [1][2]. The web server does not limit the number of failed login attempts, enabling a remote attacker to continuously submit unauthorized login requests. Affected products include FX5U, FX5UC, FX5UJ, FX5S, and R00/01/02CPU, R04/08/16/32/120(EN)CPU, and R08/16/32/120/PCPU series with specific serial numbers and firmware versions as detailed in the advisory [2]. The vulnerability is reachable without any prior authentication or special configuration.

Exploitation

An attacker with network access to the affected CPU module's web server can exploit this vulnerability by repeatedly sending login requests with invalid credentials. No authentication or user interaction is required. The attacker simply needs to maintain a continuous stream of unauthorized login attempts to the web server function [1][2].

Impact

Successful exploitation prevents legitimate users from logging into the web server function for a period of time, resulting in a denial-of-service (DoS) condition. The impact persists as long as the attacker continues to send unauthorized login attempts. The CVSS v3.1 base score is 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) [2]. No data confidentiality or integrity is affected.

Mitigation

As of the advisory publication date (2023-11-06), no software update has been announced to address this vulnerability. Users should restrict network access to the web server function to trusted hosts only and monitor for excessive login attempts. Refer to Mitsubishi Electric's official guidance for further mitigation measures [1][2].

References
  1. JVNVU#94620134: 三菱電機製複数のFA製品における複数の脆弱性
  2. Mitsubishi Electric MELSEC iQ-F/iQ-R Series CPU Module (Update A) | CISA

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

81
  • Mitsubishielectric/MELSEC iQ-F Series CPU modulellm-fuzzy
  • Mitsubishielectric/MELSEC iQ-F Series FX5-ENETcpe-rescue54 versions
    all versions+ 53 more
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions (for serial number 17X**** and later)
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
    • (no CPE)range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MR/DS-TSv5
    Range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSSv5
    Range: all versions (for serial number 17X**** and later)
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DSS-TSv5
    Range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-32MT/DS-TSv5
    Range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-64MT/DSSv5
    Range: all versions (for serial number 17X**** and later)
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UC-96MT/DSSv5
    Range: all versions (for serial number 17X**** and later)
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UJ-24MT/DSSv5
    Range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UJ-40MT/DSSv5
    Range: all versions
  • Mitsubishi Electric Corporation/MELSEC iQ-F Series FX5UJ-60MT/DSSv5
    Range: all versions
  • Mitsubishielectric/MELSEC iQ-R Seriescpe-rescue17 versions
    versions 05 or later+ 16 more
    • (no CPE)range: versions 05 or later
    • (no CPE)range: versions 05 or later
    • (no CPE)range: versions 05 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 37 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 37 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 37 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 35 or later
    • (no CPE)range: versions 37 or later

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

3

News mentions

0

No linked articles in our index yet.