MELSEC iQ-R Series PLC CPU unit resource exhaustion vulnerability

The MELSEC iQ-R series CPU unit provided by Mitsubishi Electric Corporation contains a resource exhaustion vulnerability.

Thursday, November 12, 2020, 7:48 GMT

The following firmware versions of the MELSEC iQ-R series CPU units are affected:

  1. R00 / 01/02 CPU firmware version from “05” to “19”.
  2. R04 / 08/16/32/120 (EN) CPU firmware version from “35” to “51”.


A resource depletion (CWE-400) vulnerability is included in the MELSEC iQ-R series CPU unit supported by Mitsubishi Electric Corporation.

According to the creator, if the ‘Internet server use’ setting in the engineering tool is set to ‘Do not use,’ this vulnerability would not be affected (the default setting is ‘Do not use’).

Expected effect:

It will cause an error in the Processor unit to accept malicious HTTP packets from a remote third party and bring program execution and communication into a denial of service ( DoS) state.

For recovery, a reset is needed.