cbcvebase.
CVE-2020-16226
published 2020-10-05

CVE-2020-16226: Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.27%
80.9th percentile
Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands.

Affected

85 ranges· showing 25
VendorProductVersion rangeFixed in
mitsubishi_electricconveyor_tracking_application
mitsubishi_electricconveyor_tracking_application
mitsubishi_electricconveyor_tracking_application
mitsubishi_electricconveyor_tracking_application
mitsubishi_electricd55up12-v
mitsubishi_electricfr-a800-e_series
mitsubishi_electricfr-a8ncg
mitsubishi_electricfr-e800-epa_series
mitsubishi_electricfr-e800-epb_series
mitsubishi_electricfr-f800-e_series
mitsubishi_electricfx3ge_m
mitsubishi_electricfx3u-enet
mitsubishi_electricfx3u-enet-adp
mitsubishi_electricfx3u-enet-l
mitsubishi_electricfx3u-enet-p502
mitsubishi_electricfx5-cclgn-ms
mitsubishi_electricfx5-enet
mitsubishi_electricfx5-enet_ip
mitsubishi_electricfx5u_m>= unspecified < Serial number 17X**** or later: Version 1.210 and priorSerial number 17X**** or later: Version 1.210 and prior
mitsubishi_electricfx5u_m>= unspecified < Serial number 179**** and prior: Version 1.070 and priorSerial number 179**** and prior: Version 1.070 and prior
mitsubishi_electricfx5uc-32m_ts>= unspecified < Version 1.210 and priorVersion 1.210 and prior
mitsubishi_electricfx5uj_m
mitsubishi_electricgot1000_series_gt14_model
mitsubishi_electricgot2000_series_gt21_model
mitsubishi_electricgs_series

Detection & IOCsextracted from sources · hover to see the quote

  • The vulnerability involves predictable TCP sequence numbers (CWE-342: Predictable Exact Value from Previous Values), enabling TCP session hijacking. Detect anomalous TCP session takeovers targeting Mitsubishi Electric industrial devices on the network, particularly unexpected command execution sequences from hosts that did not originate the TCP handshake.
  • Monitor for impersonation of legitimate Mitsubishi Electric devices on ICS networks — specifically unexpected or duplicate source IPs/MACs sending commands to affected PLCs, motion controllers, GOT HMIs, or inverter drives.
  • Alert on remote arbitrary command execution attempts directed at affected Mitsubishi Electric product families (MELSEC Q/L/R/FX series PLCs, GOT2000/GS HMIs, FR-A800-E/F800-E/E800-E inverters, servo amplifiers MR-JE-C/MR-J4-TM) from untrusted network segments.
  • ·Vulnerability is present across a very wide range of Mitsubishi Electric product lines and firmware versions. Some products (e.g., QJ71MES96, QJ71WS96, Q06CCPU-V, NZ2FT-MT, NZ2FT-EIP, IU1-1M20-D, GOT1000 GT14, MR-JE-C, MR-J4-TM, and all Conveyor Tracking APR-*TR* models) have NO fixed version available — detection and network segmentation are the only mitigations for these.
  • ·The vulnerability class is CWE-342 (Predictable Exact Value from Previous Values), meaning TCP sequence numbers are predictable from observed prior values. Detection logic should account for off-path attackers who have observed legitimate traffic and can inject forged TCP segments.
  • ·CVSS v3 score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) — network-exploitable with low complexity and no authentication required, making it accessible to a broad attacker population.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.