CVE-2020-16226
published 2020-10-05CVE-2020-16226: Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.27%
80.9th percentile
Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands.
Affected
85 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitsubishi_electric | conveyor_tracking_application | — | — |
| mitsubishi_electric | conveyor_tracking_application | — | — |
| mitsubishi_electric | conveyor_tracking_application | — | — |
| mitsubishi_electric | conveyor_tracking_application | — | — |
| mitsubishi_electric | d55up12-v | — | — |
| mitsubishi_electric | fr-a800-e_series | — | — |
| mitsubishi_electric | fr-a8ncg | — | — |
| mitsubishi_electric | fr-e800-epa_series | — | — |
| mitsubishi_electric | fr-e800-epb_series | — | — |
| mitsubishi_electric | fr-f800-e_series | — | — |
| mitsubishi_electric | fx3ge_m | — | — |
| mitsubishi_electric | fx3u-enet | — | — |
| mitsubishi_electric | fx3u-enet-adp | — | — |
| mitsubishi_electric | fx3u-enet-l | — | — |
| mitsubishi_electric | fx3u-enet-p502 | — | — |
| mitsubishi_electric | fx5-cclgn-ms | — | — |
| mitsubishi_electric | fx5-enet | — | — |
| mitsubishi_electric | fx5-enet_ip | — | — |
| mitsubishi_electric | fx5u_m | >= unspecified < Serial number 17X**** or later: Version 1.210 and prior | Serial number 17X**** or later: Version 1.210 and prior |
| mitsubishi_electric | fx5u_m | >= unspecified < Serial number 179**** and prior: Version 1.070 and prior | Serial number 179**** and prior: Version 1.070 and prior |
| mitsubishi_electric | fx5uc-32m_ts | >= unspecified < Version 1.210 and prior | Version 1.210 and prior |
| mitsubishi_electric | fx5uj_m | — | — |
| mitsubishi_electric | got1000_series_gt14_model | — | — |
| mitsubishi_electric | got2000_series_gt21_model | — | — |
| mitsubishi_electric | gs_series | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability involves predictable TCP sequence numbers (CWE-342: Predictable Exact Value from Previous Values), enabling TCP session hijacking. Detect anomalous TCP session takeovers targeting Mitsubishi Electric industrial devices on the network, particularly unexpected command execution sequences from hosts that did not originate the TCP handshake. ↗
- →Monitor for impersonation of legitimate Mitsubishi Electric devices on ICS networks — specifically unexpected or duplicate source IPs/MACs sending commands to affected PLCs, motion controllers, GOT HMIs, or inverter drives. ↗
- →Alert on remote arbitrary command execution attempts directed at affected Mitsubishi Electric product families (MELSEC Q/L/R/FX series PLCs, GOT2000/GS HMIs, FR-A800-E/F800-E/E800-E inverters, servo amplifiers MR-JE-C/MR-J4-TM) from untrusted network segments. ↗
- ·Vulnerability is present across a very wide range of Mitsubishi Electric product lines and firmware versions. Some products (e.g., QJ71MES96, QJ71WS96, Q06CCPU-V, NZ2FT-MT, NZ2FT-EIP, IU1-1M20-D, GOT1000 GT14, MR-JE-C, MR-J4-TM, and all Conveyor Tracking APR-*TR* models) have NO fixed version available — detection and network segmentation are the only mitigations for these. ↗
- ·The vulnerability class is CWE-342 (Predictable Exact Value from Previous Values), meaning TCP sequence numbers are predictable from observed prior values. Detection logic should account for off-path attackers who have observed legitimate traffic and can inject forged TCP segments. ↗
- ·CVSS v3 score is 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) — network-exploitable with low complexity and no authentication required, making it accessible to a broad attacker population. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Mitsubishi Electric Multiple Products (Update G)
cisa_ics·2024-06-13
Mitsubishi Electric Multiple Products (Update G)
ICS Advisory
##
Mitsubishi Electric Multiple Products (Update G)
Last RevisedJune 13, 2024
Alert CodeICSA-20-245-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.3
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: Multiple products
- Vulnerability: Predictable Exact Value from Previous Values
## 2. RISK EVALUATION
Successful exploitation of this vulnerability could be used to hijack TCP sessions and allow remote command execution.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
Mitsubishi Electric reports the vulnerability affects the following products:
- QJ71MES96: all versions
- QJ71WS96: all versions
- Q06CCPU
GHSA
GHSA-4548-gq2g-hw87: Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to rem
ghsa_unreviewed·2022-05-24
CVE-2020-16226 [CRITICAL] CWE-342 GHSA-4548-gq2g-hw87: Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to rem
Multiple Mitsubishi Electric products are vulnerable to impersonations of a legitimate device by a malicious actor, which may allow an attacker to remotely execute arbitrary commands.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2020-10-05
Published