Mitsubishi Electric MELSEC iQ-R, Q, L Series and MELIPC Series Improper Resource Locking (CVE-2022-24946)

high Tenable OT Security Plugin ID 500662

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Improper Resource Locking vulnerability in Mitsubishi Electric MELSEC-Q Series Q03UDECPU all versions, Mitsubishi Electric MELSEC-Q Series Q04/06/10/13/20/26/50/100UDEHCPU all versions, Mitsubishi Electric MELSEC-Q Series Q03/04/06/13/26UDVCPU the first 5 digits of serial number 24051 and prior, Mitsubishi Electric MELSEC-Q Series Q04/06/13/26UDPVCPU the first 5 digits of serial number 24051 and prior, Mitsubishi Electric MELSEC-L series L02/06/26CPU(-P) the first 5 digits of serial number 24051 and prior and Mitsubishi Electric MELSEC-L series L26CPU-(P)BT the first 5 digits of serial number 24051 and prior allows a remote unauthenticated attacker to cause a denial of service (DoS) condition in Ethernet communications by sending specially crafted packets. A system reset of the products is required for recovery.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Mitsubishi has fixed the vulnerability in the following products:

- MELSEC iQ-R Series R12CCPU-V CPU: Firmware Version 17 and later
- MELSEC Q Series Q03UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q04UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q06UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q10UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q13UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q20UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q26UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q50UDECPU: Versions with the first 5 digits of serial No. 24062 and later
- MELSEC Q Series Q100UDECPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q03UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q04UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q06UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q13UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q26UDVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q04UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q06UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q13UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q26UDPVCPU: Versions with the first 5 digits of serial No. 24052 and later
- MELSEC Q Series Q12DCCPU-V: Versions with the first 5 digits of serial No. 25062 and later
- MELSEC Q Series Q24DHCCPU-V(G): Versions with the first 5 digits of serial No. 25062 and later
- MELSEC Q Series Q24DHCCPU-LS: Versions with the first 5 digits of serial No. 25062 and later
- MELSEC Q Series Q26DHCCPU-LS: Versions with the first 5 digits of serial No. 25062 and later
- MELSEC L Series L02CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
- MELSEC L Series L06CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
- MELSEC L Series L26CPU(-P): Versions with the first 5 digits of serial No. 24052 and later
- MELSEC L Series L26CPU-(P)BT: Versions with the first 5 digits of serial No. 24052 and later
- MELIPC Series MI5122-VW CPU: Firmware Version 06 and later

Mitsubishi Electric recommends customers apply the following countermeasures:

MELSEC iQ-R Series:

- Customers using the MELSEC iQ-R Series firmware versions 08 and prior will be unable to update to the fixed version.
Take the mitigation measures that are common to all affected products found later in the advisory.
- Customers using the MELSEC iQ-R Series firmware versions 09 and later are recommended to download and install the updated firmware. Please refer to the MELSEC iQ-R Module Configuration Manual "Appendix 2 Firmware Update Function" for instructions on how to update the firmware.

MELSEC Q Series:

- Customers using the MELSEC Q Series will be unable to update to the respective fixed versions. Mitsubishi Electric recommends customers consider migrating to the MELSEC iQ-R Series. Take the mitigation measures that are common to all affected products found later in the advisory.

MELSEC L Series:

- Customers using the MELSEC L Series will be unable to update to the respective fixed versions. Mitsubishi Electric recommends customers consider migrating to the MELSEC iQ-R Series. Take the mitigation measures that are common to all affected products found later in the advisory.

MELIPC Series:

- Customers using the MELIPC Series will be unable to update to the fixed version. Take the mitigation measures that are common to all affected products found later in the advisory.

Mitsubishi Electric recommends the following mitigation measures as being common to all affected products:

- Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
- Use within a LAN and block access from untrusted networks and hosts through firewalls.

For additional information, such as how to check device or firmware versions, see the Mitsubishi Electric security advisory.

Please contact Mitsubishi Electric customer support for more information on how to update specific hardware.

Plugin Details

Severity: High

ID: 500662

File Name: tenable_ot_mitsubishi_CVE-2022-24946.nasl

Version: 1.8

Type: remote

Family: Tenable.ot

Published: 7/5/2022

Updated: 2/14/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2022-24946

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:mitsubishielectric:l02scpu_firmware:-, cpe:/o:mitsubishielectric:q04udvcpu_firmware:-, cpe:/o:mitsubishielectric:q20udehcpu_firmware:-, cpe:/o:mitsubishielectric:q06udehcpu_firmware:-, cpe:/o:mitsubishielectric:l02cpu-p_firmware:-, cpe:/o:mitsubishielectric:q03udecpu_firmware:-, cpe:/o:mitsubishielectric:q06udvcpu_firmware:-, cpe:/o:mitsubishielectric:l02cpu_firmware:-, cpe:/o:mitsubishielectric:q26dhccpu-ls_firmware:-, cpe:/o:mitsubishielectric:q13udpvcpu_firmware:-, cpe:/o:mitsubishielectric:q06ccpu-v_firmware:-, cpe:/o:mitsubishielectric:q100udehcpu_firmware:-, cpe:/o:mitsubishielectric:q04udpvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-bt_firmware:-, cpe:/o:mitsubishielectric:q06udpvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-%28p%29bt_firmware:-, cpe:/o:mitsubishielectric:l26cpu_firmware:-, cpe:/o:mitsubishielectric:q13udvcpu_firmware:-, cpe:/o:mitsubishielectric:q13udehcpu_firmware:-, cpe:/o:mitsubishielectric:q26udehcpu_firmware:-, cpe:/o:mitsubishielectric:l06cpu_firmware:-, cpe:/o:mitsubishielectric:l02scpu-p_firmware:-, cpe:/o:mitsubishielectric:q06phcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-pbt_firmware:-, cpe:/o:mitsubishielectric:q26udvcpu_firmware:-, cpe:/o:mitsubishielectric:l26cpu-bt-cm_firmware:-, cpe:/o:mitsubishielectric:q10udehcpu_firmware:-, cpe:/o:mitsubishielectric:q26udpvcpu_firmware:-, cpe:/o:mitsubishielectric:q04udehcpu_firmware:-, cpe:/o:mitsubishielectric:q50udehcpu_firmware:-, cpe:/o:mitsubishielectric:l06cpu-p_firmware:-, cpe:/o:mitsubishielectric:l26cpu-p_firmware:-

Required KB Items: Tenable.ot/Mitsubishi

Exploit Ease: No known exploits are available

Patch Publication Date: 6/15/2022

Vulnerability Publication Date: 6/15/2022

Reference Information

CVE: CVE-2022-24946

CWE: 667

ICSA: 22-172-01

Detections

Analytics