An advisory issued on September 5, 2024, has highlighted a significant vulnerability in Mitsubishi Electric’s MELSEC iQ-R, iQ-L Series, and MELIPC Series equipment. This issue, identified as CVE-2022-33324, involves improper resource shutdown or release, which can be exploited remotely to cause denial-of-service conditions affecting Ethernet communication. With a CVSS v3 base score of 7.5, this vulnerability poses a serious risk to industrial control systems deployed globally.
The affected products include various CPU modules and MELIPC Series devices with specific firmware versions. Exploitation of this flaw could disrupt communication within critical manufacturing systems, impacting their operational integrity. Mitsubishi Electric has provided firmware updates to address this vulnerability, but users of non-updatable products should implement additional security measures to mitigate the risk.
To counter this threat, Mitsubishi Electric recommends several strategies, such as using firewalls, virtual private networks (VPNs), and IP filters to block unauthorized access. These measures are crucial for devices operating in untrusted network environments and are outlined in the relevant user manuals. Users should follow the provided guidelines for updating firmware or applying alternative mitigation techniques to enhance their security posture.
CISA advises organizations to conduct thorough impact analyses and risk assessments before deploying any defensive measures. For detailed guidance and best practices, organizations are encouraged to review CISA’s resources on industrial control systems cybersecurity. Although no public exploitation of this vulnerability has been reported, proactive defense strategies are essential to safeguard ICS assets from potential threats.