CISA Warns of Unpatched DoS Flaw in Mitsubishi Electric MELSEC iQ-F Series Ethernet Module
CISA disclosed CVE-2026-8806, an expected behavior violation in Mitsubishi Electric's MELSEC iQ-F Series FX5-ENET/IP Ethernet module, with no fix planned, affecting critical manufacturing globally.
CISA has published an advisory for CVE-2026-8806, a high-severity denial-of-service (DoS) vulnerability in Mitsubishi Electric's MELSEC iQ-F Series FX5-ENET/IP Ethernet module. The flaw, classified as an expected behavior violation (CWE-440), allows a remote unauthenticated attacker to flood the Ethernet port with a large volume of packets in a short period, overwhelming the device's processing load and preventing internal anomaly-detection functions from operating. The result is a complete halt of communication on the affected module, with no fix planned by the vendor.
The vulnerability affects all versions of the Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module (FX5-ENET/IP), a product deployed worldwide in critical manufacturing sectors. The CVSS v3.1 base score is 7.5 (High), with a vector of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, and the CVSS v4.0 score is 8.7 (High). Mitsubishi Electric has acknowledged the vulnerability in its security advisory (available at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2026-003_en.pdf) but has stated that no fixed version will be released for the affected product line.
The attack mechanism is straightforward: an attacker with network access can continuously send a high volume of communication packets to the Ethernet port of the module, causing the device's processing load to spike. This prevents the internal anomaly-detection processing from running, ultimately stopping all communication functions. Because the module is designed for industrial control systems (ICS) in critical manufacturing environments, a successful DoS attack could disrupt production lines, halt machinery, or cause cascading failures in connected systems.
Mitsubishi Electric has issued a series of mitigations for customers. The primary recommendation is to use the affected product within a local area network (LAN) and block access from untrusted networks and hosts through firewalls. Additional steps include using the IP filter function of the product to block access from untrusted hosts, restricting physical access to the module and connected PCs and network devices, and installing anti-virus software on PCs that can access the product. For remote access, the company recommends using a virtual private network (VPN) and firewall to prevent unauthorized access, though CISA notes that VPNs may themselves have vulnerabilities.
CISA's advisory, republished from Mitsubishi Electric's Common Security Advisory Framework (CSAF) document, emphasizes that the product is deployed worldwide in critical manufacturing sectors, with the company headquartered in Japan. The agency urges organizations to perform proper impact analysis and risk assessment before deploying defensive measures and to follow established internal procedures for reporting suspected malicious activity. CISA also provides recommended practices for industrial control systems cybersecurity, including defense-in-depth strategies and targeted cyber intrusion detection and mitigation.
The lack of a planned fix for this vulnerability is notable, as it leaves operators of the MELSEC iQ-F Series FX5-ENET/IP module with only workarounds to manage risk. This situation mirrors other recent CISA advisories for industrial control systems where vendors have declined to patch legacy or end-of-life products, forcing reliance on network segmentation and access controls. Organizations using the affected module should prioritize implementing the recommended mitigations and monitor for any signs of exploitation, as the vulnerability is publicly disclosed and could be targeted by threat actors seeking to disrupt critical manufacturing operations.