Mitsubishi Electric‘s MELSEC iQ-R, iQ-L, and MELIPC series devices have been found vulnerable to a Denial-of-Service (DoS) attack due to improper resource shutdown or release. Identified as CVE-2022-33324, the flaw allows remote attackers to disrupt Ethernet communication by sending specially crafted packets. The vulnerability has been assigned a CVSS score of 7.5, indicating a high severity level. Affected devices require a system reset to recover from the attack.
The vulnerability affects several models with firmware versions below specified thresholds. For instance, MELSEC iQ-R models such as R00/01/02CPU with firmware versions “32” and prior and MELIPC Series MI5122-VW with versions “07” and earlier are impacted. Firmware updates have been released for many devices, and users are urged to upgrade where possible. Devices with non-updatable firmware must rely on mitigation strategies.
Recommended mitigation measures include using firewalls, VPNs, and IP filtering to prevent unauthorized access. Mitsubishi Electric advises placing control system networks behind secure firewalls and isolating them from general business networks. Restricting network exposure and employing secure remote access methods are critical to minimizing risks.
Users should consult relevant product manuals for firmware update instructions and apply patches from Mitsubishi Electric’s official download site. Customers needing further assistance are encouraged to contact their local Mitsubishi Electric representatives. Regular updates and adherence to cybersecurity best practices remain essential for safeguarding industrial control systems against such vulnerabilities.
Reference:
