CVE-2020-13238

moderate-risk

Published 2020-06-10

Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to halt the industrial process by sending an unauthenticated crafted packet over the network, because this denial of service attack consumes excessive CPU time. After halting, physical access to the PLC is required in order to restore production.

Do I need to act?

0.30% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Melsec Iq-R00Cpu Firmware

Melsec Iq-R01Cpu Firmware

Melsec Iq-R02Cpu Firmware

Melsec Iq-R04Cpu Firmware

Melsec Iq-R08Cpu Firmware

Melsec Iq-R16Cpu Firmware

Melsec Iq-R32Cpu Firmware

Melsec Iq-R120Cpu Firmware

Melsec Iq-R08Fcpu Firmware

Melsec Iq-R16Fcpu Firmware

Melsec Iq-R32Fcpu Firmware

Melsec Iq-R120Fcpu Firmware

Melsec Iq-R08Pcpu Firmware

Melsec Iq-R16Pcpu Firmware

Melsec Iq-R32Pcpu Firmware

Melsec Iq-R120Pcpu Firmware

Melsec Iq-R08Sfcpu Firmware

Melsec Iq-R16Sfcpu Firmware

Melsec Iq-R32Sfcpu Firmware

Melsec Iq-R120Sfcpu Firmware

Affected Vendors

Mitsubishielectric

References (6)

Third Party Advisory http://jvn.jp/vu/JVNVU97662844/index.html

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-001_en.pdf

Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-20-161-02

Third Party Advisory http://jvn.jp/vu/JVNVU97662844/index.html

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-001_en.pdf

Third Party Advisory https://www.us-cert.gov/ics/advisories/icsa-20-161-02

/ 100

moderate-risk

Severity 26/34 · High

Exploitability 1/34 · Minimal

Exposure 20/34 · Moderate