CVE-2020-16850
moderate-risk
Published 2020-11-30
Mitsubishi MELSEC iQ-R Series PLCs with firmware 49 allow an unauthenticated attacker to halt the industrial process by sending a crafted packet over the network. This denial of service attack exposes Improper Input Validation. After halting, physical access to the PLC is required in order to restore production, and the device state is lost. This is related to R04CPU, RJ71GF11-T2, R04CPU, and RJ71GF11-T2.
Do I need to act?
-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.5/10
High
NETWORK
/ LOW complexity
Affected Products (19)
R00Cpu Firmware
R01Cpu Firmware
R02Cpu Firmware
R04Cpu Firmware
R08Cpu Firmware
R16Cpu Firmware
R32Cpu Firmware
R120Cpu Firmware
R08Sfcpu Firmware
R16Sfcpu Firmware
R32Sfcpu Firmware
R120Sfcpu Firmware
R08Pcpu Firmware
R16Pcpu Firmware
R32Pcpu Firmware
R120Pcpu Firmware
R16Mtcpu Firmware
R32Mtcpu Firmware
R64Mtcpu Firmware
Affected Vendors
References (4)
Third Party Advisory
https://blog.scadafence.com/vulnerability-in-mitsubishi-electric-melsec-iq-r-ser...
Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-282-02
Third Party Advisory
https://blog.scadafence.com/vulnerability-in-mitsubishi-electric-melsec-iq-r-ser...
Third Party Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-282-02
47
/ 100
moderate-risk
Severity
26/34 · High
Exploitability
2/34 · Minimal
Exposure
19/34 · Moderate