Published:2020/03/30  Last Updated:2020/04/01

Denial-of-service (DoS) vulnerability in Mitsubishi Electric MELSOFT transmission port


MELSOFT transmission port (UDP/IP) of multiple Mistsubishi Electric MELSEC series contains a denial-of-service (DoS) vulnerability due to the uncontrolled resource consumption (CWE-400) isssue.

Products Affected

The units with MELSOFT transmission port (UDP/ID) on Ethernet port embedded in Mitsubishi Electric MELSEC series are affected:

  • MELSEC iQ-R series (all versions)
  • MELSEC iQ-F series (all versions)
  • MELSEC Q series (all versions)
  • MELSEC L series (all versions)
  • MELSEC F series (all versions)


MELSOFT transmission port (UDP/IP) of MELSEC iQ-R,iQ-F,Q,L, and F series provided by Mitsubishi Electric Coporation contains an uncontrolled resource consumption issue (CWE-400).   When MELSOFT transmission port receives massive amount of data, resource consumption occurs and the port does not process the data properly.  As a result, it may fall into a denial-of-service (DoS) condition.


When MELSOFT transmission port does not process data properly, a client becomes unable to communicate with MELSOFT transmission port.  Also, the other devices which communicate using the other communication port may become unable to connect to MELSOFT transmission port.

According to the developer, this vulnerability only affects Ethernet communication functions.


Apply Workarounds
The developer states that this vulnerability does not affect sequential controls, and when a denial-of-service (DoS) condition is ended, the communication functions become to behave properly.  Therefore there is no plan to provide any updates or patches to address to this issue.

However, according to the developer, applying the workaround listed below may mitigate the impacts of this vulnerability.

  • Set up Firewall and restrict access from the devices via network
  • Use IP address filter function and restrict IP addresses which can be connected to
For the details of the mitigations, refer to the information provided by the developer.

Vendor Status

Vendor Link
Mitsubishi Electric Corporation Remote Access Vulnerability in MELSOFT Transmission Port (UDP/IP)


  1. ICS Advisory (ICSA-20-091-02)
    Mitsubishi Electric MELSEC

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Base Score: 5.3
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)
Base Score: 5.0
Access Vector(AV) Local (L) Adjacent Network (A) Network (N)
Access Complexity(AC) High (H) Medium (M) Low (L)
Authentication(Au) Multiple (M) Single (S) None (N)
Confidentiality Impact(C) None (N) Partial (P) Complete (C)
Integrity Impact(I) None (N) Partial (P) Complete (C)
Availability Impact(A) None (N) Partial (P) Complete (C)


Mitsubishi Electric Corporation reported these vulnerabilities to JPCERT/CC to notify users of the solution through JVN.

Other Information

JPCERT Reports
CERT Advisory
CPNI Advisory
CVE CVE-2020-5527
JVN iPedia

Update History

Added a link under the section [References]