ICS Network Controllers Open to Remote Exploit, No Patches Available

CISA advisory warns of critical ICS device flaws, but a lack of available fixes leaves network administrators on defense to prevent exploits.

Dark Reading Staff, Dark Reading

April 18, 2024

2 Min Read
An ICS control panel
Source: rapsian sawangphon via Alamy Stock Photo

A security advisory issued this week by the Cybersecurity and Infrastructure Security Agency (CISA) alerts administrators of vulnerabilities in two industrial control systems devices — Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R Series.

CISA warned that the Unitronics Vision Series PLC controller is open to remote exploit due to its storage of passwords in a recoverable format. This vulnerability (CVE-2024-1480) was assigned a CVSS score of 8.7.

Unitronics has not responded to, or worked with, the agency to mitigate the issue, leaving networks with these devices open to cyberattack, according to CISA. The advisory recommends ensuring the controllers are not connected to the Internet, isolating them from business networks, protecting the devices behind firewalls, and using secure methods, like virtual private networks (VPNs), for remote access.

The remaining ICS vulnerabilities impact the Mitsubishi Electric Corporation MELSEC iQ-R CPU Module. A design flaw in the CPU, tracked under CVE-2021-20599, has been assigned a CVSS score of 9.1. The unit transmits passwords in cleartext, which are easily intercepted by adversaries.

The Mitsubishi MELSEC CPUs also harbor a trio of reported flaws that could allow a threat actor to compromise usernames, access the device, and deny access to legitimate users. These include: exposure of sensitive information (CVE-2021-20594, CVSS 5.9); insufficiently protected credentials (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).

Mitsubishi is working to provide mitigations and workarounds for the issues. However, systems with these devices are unable to be updated with a fix, according to CISA. The agency advises administrators with these devices in their networks to shore up defenses with firewalls, remote access limitations, and IP address restrictions.

"Mitsubishi Electric has released the fixed version ... but updating the product to the fixed version is not available," the advisory said. "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability."

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights