MELSEC iQ-R Series CPU Modules vulnerable to uncontrolled resource consumption


MELSEC iQ-R series CPU modules provided by Mitsubishi Electric Corporation contain an uncontrolled resource consumption vulnerability (CWE-400).

According to the developer, in case of "To Use or Not to Use Web Server Settings" in the parameter of CPU modules are set to "Not Use", this issue does not occur. (The default setting is "Not Use".)

TOMOOMI IWATA, KINOSHITA SHUNICHI of NEC Corporation reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 6.8 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High
CVSS V2 Severity:
Base Metrics 5.4 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: High
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Complete
Affected Products

The following MELSEC iQ-R series CPU modules are affected.

Mitsubishi Electric
  • MELSEC iQ-R series R00/01/02CPU Firmware versions from "05" to "19"
  • MELSEC iQ-R series R04/08/16/32/120 (EN) CPU Firmware versions from "35" to "51"


When the CPU module receives a specially crafted HTTP packet from a remote attacker, a denial-of-service (DoS) condition may be caused on the product's program execution and communication.
Note that a reset is required for recovery.

[Update the software]
Apply the appropriate update according to the information provided by the developer.
According to the developer, this vulnerability is fixed in following firmware versions.

* R00/01/02CPU firmware versions "20" and later
* R04/08/16/32/120(EN)CPU firmware versions "52" and later

[Apply the workarounds]
Applying the following workarounds may mitigate the impacts of this vulnerability.
* If Web Server function is not in use, set "Not Use" for "To Use or Not to Use Web Server Settings"
* Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when accessing the Internet
* Use the product within a trusted LAN and block access from untrusted networks and hosts by using firewalls
Vendor Information

Mitsubishi Electric
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2020-5666

  1. JVN : JVN#44764844
  2. ICS-CERT ADVISORY : ICSA-20-317-01
Revision History

  • [2020/11/12]
      Web page was published
  • [2020/11/13]
      References : Content was added