Vulnerability in 60 Mitsubishi Electric SCADA products enables TCP session hijacking and remote command execution

Logical security specialists reported the finding of a critical vulnerability of exact predictable values from previous values present in multiple Mitsubishi Electric products. According to the report, successful exploitation of this vulnerability could be used to hijack TCP sessions and allow remote command execution on affected systems.

Tracked as CVE-2020-16226, this flaw exists because affected products are exposed to the impersonation of legitimate devices, allowing threat actors to execute arbitrary code remotely. The vulnerability received a score of 7.3/10 according to the Common Vulnerability Scoring System (CVSS).  

This report was submitted by Ta-Lun Yen of the research unit of security firm Trend Micro, in collaboration with The Zero Day Initiative (ZDI), as mentioned by logical security specialists.

The following is the list of products affected by this flaw: QJ71MES96, all versions:

  • QJ71WS96, all versions
  • Q06CCPU-V, all versions
  • Q24DHCCPU-V, all versions
  • Q24DHCCPU-VG, all versions
  • R12CCPU-V, all versions
  • RD55UP06-V, all versions
  • RD55UP12-V, all versions
  • RJ71GN11-T2, all versions
  • RJ71EN71, all versions
  • QJ71E71-100, all versions
  • LJ71E71-100, all versions
  • QJ71MT91, all versions
  • RD78Gn (n x 4,8,16,32,64), all versions
  • RD78GHV, all versions
  • RD78GHW, all versions
  • NZ2GACP620-60, all versions
  • NZ2GACP620-300, all versions
  • NZ2FT-MT, all versions
  • NZ2FT-EIP, all versions
  • Q03UDECPU, the first 5 digits of serial number 22081 and earlier
  • QnUDEHCPU (n x 04/06/10/13/20/26/50/100)
  • QnUDVCPU (n x 03/04/06/13/26)
  • QnUDPVCPU (n x 04/06/13/2)
  • LnCPU (-P) (n x 02/06/26)
  • L26CPU- (P) BT
  • RnCPU (n x00/01/02), Version 18 and earlier
  • RnCPU (n s 04/08/16/32/120), Version 50 and earlier
  • RnENCPU (n x04/08/16/32/120), Version 50 and earlier
  • RnSFCPU (n x08/16/32/120), all versions
  • RnPCPU (n x 08/16/32/120), all versions
  • RnPSFCPU (n x 08/16/32/120), all versions
  • FX5U (C)
  • FX5UC-32M*/** – TS, version 1.210 and earlier
  • FX5UJ – ** M* / **, Version 1,000
  • FX5-ENET, all versions
  • FX5-ENET/IP, all versions
  • FX3U-ENET-ADP, all versions
  • FX3GE – ** M* / **, all versions
  • FX3U-ENET, all versions
  • FX3U-ENET-L, all versions
  • FX3U-ENET-P502, all versions
  • FX5-CCLGN-MS, all versions
  • IU1-1M20-D, all versions
  • LE7-40GU-L, all versions
  • GT21 model of the GOT2000 series, all versions
  • GS Series, all versions
  • GOT1000 series GT14 model, all versions
  • GT25-J71GN13-T2, all versions
  • FR-A800-E series, all versions
  • FR-F800-E series, all versions
  • FR-A8NCG, production date August 2020 and earlier
  • FR-E800-EPA series, production date July 2020 and earlier
  • FR-E800-EPB series, production date July 2020 and earlier
  • Conveyor tracking application APR-nTR3FH, APR-nTR6FH, APR-nTR12FH, APR-nTR20FH (n x 1.2), all versions (discontinued product)
  • MR-JE-C, all versions
  • MR-J4-TM, all versions

Faced with the risk of exploitation, Mitsubishi Electric and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) recommend implementing the following measures:

  • Use a firewall or VPN to prevent unauthorized access when Internet access is required
  • Use affected products within a LAN, as well as ensure that they are not accessible from unverified networks and hosts
  • Install antivirus software on any computer that can be accessed by an affected product
  • Check products that already have updates available

Logical security specialists ensure that the correct implementation of these measures will mitigate the risk of exploitation considerably.