An always-incorrect control flow implementation vulnerability may allow a remote attacker to cause a denial-of-service condition by continuously sending UDP packets to the affected products.
Affected Products
Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet module
Vendor:
Mitsubishi Electric
Product Version:
Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP: <=1.106, Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP: vers:all/*
Product Status:
known_affected
Remediations
Vendor fix
Users of FX5-ENET/IP versions 1.106 and prior should download the update file for version 1.107 or later and apply it. The update file is available at: https://www.mitsubishielectric.com/fa/download/index.html.
Mitigation
The fixed version for the FX5-EIP is scheduled to be released in the near future. In the meantime, users should apply mitigations or workarounds.
Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall, virtual private network (VPN), etc. and preventing unauthorized access when internet access is required, to minimize the risk of exploiting this vulnerability.
Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the affected product within a LAN and blocking access from untrusted networks and hosts through firewalls, to minimize the risk of exploiting this vulnerability.
Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the IP filter function of the affected product and blocking access from untrusted hosts, to minimize the risk of exploiting this vulnerability. For details on the IP filter function, refer to “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication).
Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the affected product, as well as to PCs and network devices to which it is connected, to minimize the risk of exploiting this vulnerability.
Mitigation
For users of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.
Mitigation
For more information, see Mitsubishi Electric 2025-021. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf
Relevant CWE: CWE-670 Always-Incorrect Control Flow Implementation