Description:

Mitsubishi Electric has released security updates to address multiple vulnerabilities in the following products:

• smartRTU and INEA ME-RTU: All firmware versions prior to Version 3.3
• QJ71MES96, all versions
• QJ71WS96, all versions
• Q06CCPU-V, all versions
• Q24DHCCPU-V, all versions
• Q24DHCCPU-VG, all versions
• R12CCPU-V, Version 13 and prior
• RD55UP06-V, Version 09 and prior
• RD55UP12-V, Version 01
• RJ71GN11-T2, Version 11 and prior
• RD78Gn(n=4,8,16,32,64), Version 14 and prior
• RD78GHV, Version 14 and prior
• RD78GHW, Version 14 and prior
• NZ2FT-MT, all versions
• NZ2FT-EIP, all versions
• Q03UDECPU, the first 5 digits of serial number 22081 and prior
• QnUDEHCPU(n=04/06/10/13/20/26/50/100), the first 5 digits of serial number 22081 and prior
• QnUDVCPU(n=03/04/06/13/26), the first 5 digits of serial number 22031 and prior
• QnUDPVCPU(n=04/06/13/26), the first 5 digits of serial number 22031 and prior
• LnCPU(-P)(n=02/06/26), the first 5 digits of serial number 22051 and prior
• L26CPU-(P)BT, the first 5 digits of serial number 22051 and prior
• RnCPU(n=00/01/02), Version 18 and prior
• RnCPU(n=04/08/16/32/120), Version 50 and prior
• RnENCPU(n=04/08/16/32/120), Version 50 and prior
• RnSFCPU (n=08/16/32/120), Version 22 and prior
• RnPCPU(n=08/16/32/120), Version 24 and prior
• RnPSFCPU(n=08/16/32/120), Version 05 and prior
• FX5U(C)-**M*/**
• Case1: Serial number 17X**** or later: Version 1.210 and prior
• Case2: Serial number 179**** and prior: Version 1.070 and prior
• FX5UC-32M*/**-TS, Version 1.210 and prior
• FX5UJ-**M*/**, Version 1.000
• FX5-ENET, Version 1.002 and prior
• FX5-ENET/IP, Version 1.002 and prior
• FX3U-ENET-ADP, Version 1.22 and prior
• FX3GE-**M*/**, the first 3 digits of serial number 20X and prior
• FX3U-ENET, Version 1.14 and prior
• FX3U-ENET-L, Version 1.14 and prior
• FX3U-ENET-P502, Version 1.14 and prior
• FX5-CCLGN-MS, Version 1.000
• IU1-1M20-D, all versions
• LE7-40GU-L, all versions
• GOT2000 Series GT21 Model, all versions
• GS Series, all versions
• GOT1000 Series GT14 Model, all versions
• FR-A800-E Series, production date December 2020 and prior
• FR-F800-E Series, production date December 2020 and prior
• FR-A8NCG, Production date August 2020 and prior
• FR-E800-EPA Series, Production date July 2020 and prior
• FR-E800-EPB Series, Production date July 2020 and prior
• Conveyor Tracking Application APR-nTR3FH, APR-nTR6FH, APR-nTR12FH, APR-nTR20FH(n=1,2), all versions (Discontinued product)
• MR-JE-C, all versions
• MR-J4-TM, all versions
• RJ71EN71, Version 48 and prior
• QJ71E71-100, the first 5 digits of serial number 21092 and prior
• LJ71E71-100, the first 5 digits of serial number 21092 and prior
• QJ71MT91, the first 5 digits of serial number 20082 and prior
• NZ2GACP620-60, Version 1.03D and prior
• NZ2GACP620-300, Version 1.03D and prior
• GT25-J71GN13-T2, Version 03 and prior

Threats:

Attackers could exploit these vulnerabilities by doing the following:

• Sensitive information disclosure
• Execute arbitrary code

Best practice and Recommendations:

The CERT team encourages users to review Mitsubishi Electric security advisory:

• https://www.inea.si/en/telemetrija-in-m2m-produkti/mertu-en/

Mitsubishi Electric recommends following the below recommendations:

• Use a firewall or VPN, etc., to prevent unauthorized access when Internet access is required.
• Use within a LAN and block access from untrusted networks and hosts through firewalls.