The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an advisory warning of security vulnerabilities in a range of Mitsubishi Electric industrial automation products.
Furthermore, the flaws affect a range of devices in the MELIPC and MELSEC Q series, as well as the MELSEC iQ-R series, and could be used to achieve privilege escalation and launch denial-of-service attacks. CISA advises customers to check the agency’s website and apply the necessary mitigations and updates.
Mitsubishi Electric is a large Japanese engineering and electronics firm that provides a range of industrial automation systems used in factories, power plants, and other critical infrastructure facilities. The affected products are used for various purposes including data acquisition, data processing, and remote monitoring.
The vulnerabilities could allow attackers to gain access to data, disrupt operations, or cause other types of harm.
Additionally, ICS-CERT, the US Computer Emergency Response Team that focuses on industrial control systems, has previously highlighted vulnerabilities in Mitsubishi Electric products.
In 2019, the team published an advisory about vulnerabilities in several MELSEC-Q products, which could have allowed attackers to manipulate PLC logic, alter process parameters, or render devices inoperable.
Finally, the vulnerabilities come amid a broader trend of increasing attacks on industrial control systems and critical infrastructure, as threat actors seek to exploit weaknesses in these systems to cause disruption or gain leverage in geopolitical conflicts.
