Critical Vulnerability Information Executive Summary CVSS v3: 6.8 Note: Remotely exploitable Vendor: Mitsubishi Electric Product: MELSEC iQ-R Series C Controller Module R12CCPU-V Vulnerability: Uncontrolled Resource Consumption Update Information This update notice follows the original notice published on October 7, 2021 (ICSA-21-280-04). Risk Assessment Successful exploitation of this vulnerability may result in the module failing to start, requiring a system reset to recover. Technical Details 4.1 Affected Products MELSEC iQ-R Series C Controller Module affected module: R12CCPU-V firmware version 16 and earlier. 4.2 Vulnerability Overview Uncontrolled Resource Consumption CWE-400 The MELSEC iQ-R Series C Controller Module is vulnerable to uncontrolled resource consumption due to a short burst of a large number of packets sent during startup, potentially leading to a denial-of-service condition. CVE-2021-20600: The CVSS v3 base score for this vulnerability is 6.8. 4.3 Background Critical Infrastructure Sector: Critical Manufacturing Deployment Countries/Regions: Global Company Headquarters Location: Japan 4.4 Researchers Mitsubishi Electric reported this vulnerability to CISA. Mitigation Measures Update affected devices to firmware version 17 or later. If a system WDT error occurs during startup, disconnect the module’s LAN cable and restart the module. After confirming the module has started normally, re-establish the LAN connection. Use firewalls, VPNs, or similar measures to prevent unauthorized access when internet connectivity is required. Use local area networks and block access from untrusted networks and hosts. Minimize network exposure of all control system devices and systems, ensuring they are not accessible from the internet. Place control system networks and remote devices behind firewalls and isolate them from business networks. When remote access is necessary, use secure methods such as Virtual Private Networks (VPNs), and ensure they are updated. Follow CISA’s recommended security practices and strategies for control systems to reduce risk. Vendor Mitsubishi Electric