Published:2020/11/12  Last Updated:2020/11/13

MELSEC iQ-R Series CPU Modules vulnerable to uncontrolled resource consumption


MELSEC iQ-R Series CPU Modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability.

Products Affected

The following MELSEC iQ-R series CPU modules are affected.

  • R00/01/02CPU Firmware versions from "05" to "19"
  • R04/08/16/32/120(EN)CPU Firmware versions from "35" to "51"


MELSEC iQ-R series CPU modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability (CWE-400).

According to the developer, in case of "To Use or Not to Use Web Server Settings" in the parameter of CPU modules are set to "Not Use", this issue does not occur. (The default setting is "Not Use".)


When the CPU module receives a specially crafted HTTP packet from a remote attacker, a denial-of-service (DoS) condition may be caused on the product's program execution and communication.
Note that a reset is required for recovery.


Update the software
Apply the appropriate update according to the information provided by the developer.
According to the developer, this vulnerability is fixed in following firmware versions.

  • R00/01/02CPU firmware versions "20" and later
  • R04/08/16/32/120(EN)CPU firmware versions "52" and later
Apply the workarounds
Applying the following workarounds may mitigate the impacts of this vulnerability.
  • If Web Server function is not in use, set "Not Use" for "To Use or Not to Use Web Server Settings"
  • Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when accessing the Internet
  • Use the product within a trusted LAN and block access from untrusted networks and hosts by using firewalls

Vendor Status

Vendor Link
Mitsubishi Electric Corporation Denial-of-Service Vulnerability in MELSEC iQ-R Series CPU Modules


  1. ICS Advisory (ICSA-20-317-01)
    Mitsubishi Electric MELSEC iQ-R Series

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 6.8
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.4
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


TOMOOMI IWATA, KINOSHITA SHUNICHI of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5666
JVN iPedia JVNDB-2020-000072

Update History

Added information under [References] section.