Detections
Analytics
Mitsubishi Electric MELSEC-Q Series PLCs Uncontrolled Resource Consumption (CVE-2019-6535)
high Tenable OT Security Plugin ID 500066
Synopsis
The remote OT asset is affected by a vulnerability.Description
Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash and disruption to USB communication.This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.Mitsubishi Electric has produced a new version of the firmware. Additional information about this vulnerability or Mitsubishi Electric's compensating control is available by contacting a local Mitsubishi Electric representative, which can be found at the following location: https://us.mitsubishielectric.com/fa/en/about-us/distributors
Mitsubishi Electric strongly recommends users should operate the affected device behind a firewall.
See Also
https://ics-cert.us-cert.gov/advisories/ICSA-19-029-02
http://www.securityfocus.com/bid/106771
https://www.cisa.gov/news-events/ics-advisories/icsa-19-029-02
Plugin Details
Severity: High
ID: 500066
Version: 1.16
Type: remote
Family: Tenable.ot
Published: 2/7/2022
Updated: 6/27/2025
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Medium
Score: 4.4
CVSS v2
Risk Factor: Medium
Base Score: 5
Temporal Score: 3.7
Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS Score Source: CVE-2019-6535
CVSS v3
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:mitsubishielectric:q06udehcpu_firmware, cpe:/o:mitsubishielectric:q50udehcpu_firmware, cpe:/o:mitsubishielectric:q26udvcpu_firmware, cpe:/o:mitsubishielectric:q13udvcpu_firmware, cpe:/o:mitsubishielectric:q06udvcpu_firmware, cpe:/o:mitsubishielectric:q06udpvcpu_firmware, cpe:/o:mitsubishielectric:q26udehcpu_firmware, cpe:/o:mitsubishielectric:q20udehcpu_firmware, cpe:/o:mitsubishielectric:q04udehcpu_firmware, cpe:/o:mitsubishielectric:q04udvcpu_firmware, cpe:/o:mitsubishielectric:q04udpvcpu_firmware, cpe:/o:mitsubishielectric:q100udehcpu_firmware, cpe:/o:mitsubishielectric:q03udecpu_firmware, cpe:/o:mitsubishielectric:q26udpvcpu_firmware, cpe:/o:mitsubishielectric:q13udehcpu_firmware, cpe:/o:mitsubishielectric:q03udvcpu_firmware, cpe:/o:mitsubishielectric:q13udpvcpu_firmware, cpe:/o:mitsubishielectric:q10udehcpu_firmware
Required KB Items: Tenable.ot/Mitsubishi
Exploit Ease: No known exploits are available
Patch Publication Date: 2/5/2019
Vulnerability Publication Date: 2/5/2019
Reference Information
CVE: CVE-2019-6535
CWE: 400
ICSA: 19-029-02