CVE-2020-5527

high-risk

Published 2020-03-30

When MELSOFT transmission port (UDP/IP) of Mitsubishi Electric MELSEC iQ-R series (all versions), MELSEC iQ-F series (all versions), MELSEC Q series (all versions), MELSEC L series (all versions), and MELSEC F series (all versions) receives massive amount of data via unspecified vectors, resource consumption occurs and the port does not process the data properly. As a result, it may fall into a denial-of-service (DoS) condition. The vendor states this vulnerability only affects Ethernet communication functions.

Do I need to act?

0.47% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.5/10 High

NETWORK / LOW complexity

Affected Products (20)

Cr800-Q Firmware

Fx3G Firmware

Fx3Gc Firmware

Fx3S Firmware

Fx3U Firmware

Fx3Uc Firmware

Fx5U Firmware

Fx5Uc Firmware

Fx5Uj Firmware

L02Cpu Firmware

L02Cpu-P Firmware

L02Scpu Firmware

L02Scpu-P Firmware

L06Cpu Firmware

L06Cpu-P Firmware

L26Cpu Firmware

L26Cpu-Bt Firmware

L26Cpu-P Firmware

L26Cpu-Pbt Firmware

Q02Phcpu Firmware

Affected Vendors

Mitsubishielectric

References (4)

Third Party Advisory https://jvn.jp/en/vu/JVNVU91553662/index.html

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2019-005_en.pdf

Third Party Advisory https://jvn.jp/en/vu/JVNVU91553662/index.html

Vendor Advisory https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2019-005_en.pdf

/ 100

high-risk

Severity 26/34 · High

Exploitability 2/34 · Minimal

Exposure 25/34 · High