CYB3R53C

Cybersecurity Starts Here: Explore, Learn, and Secure Your Operations

A remote exploit is possible on ICS Network Controllers, and no patches are available

In a recent CISA advisory, it warns that ICS devices are vulnerable to critical vulnerabilities, but there are no fixes available, so network administrators have to defend themselves against exploits.

Cybersecurity and Infrastructure Security Agency (CISA) released a security advisory this week alerting administrators of vulnerabilities in Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R Series PLCs. The advisory recommends that administrators update their Unitronics Vision Series PLCs to the latest firmware version and implement strong password policies. For Mitsubishi Electric MELSEC iQ-R Series PLCs, administrators are advised to enable access controls, restrict network access, and regularly update the firmware to address the vulnerabilities.

Due to its ability to recover passwords, the Unitronics Vision Series PLC controller was warned to be vulnerable to remote exploit by CISA.CVSS score of 8.7 has been assigned to this vulnerability (CVE-2024-1480). Other devices that may be susceptible to similar remote exploits include the Siemens SIMATIC S7-1200 PLC controller, the Schneider Electric Modicon M340 PLC controller, and the Rockwell Automation Allen-Bradley CompactLogix PLC controller. It is crucial for organizations to regularly update and patch these devices to mitigate the risk of exploitation.

CISA has reported that Unitronics has not responded to and has not worked with the agency to mitigate the issue, allowing networks with these devices to be vulnerable to cyberattacks, according to CISA. To ensure the controllers are not connected to the Internet, they should be isolated from business networks, they should be protected behind firewalls, and they should be used for remote access with secure methods, such as virtual private networks (VPNs).

MELSEC iQ-R CPU Module from Mitsubishi Electric Corporation is also vulnerable to ICS vulnerabilities. It has a CVSS score of 9.1 due to a design flaw in the CPU, CVE-2021-20599. The CPU transmits passwords in cleartext, which can be intercepted.

Additionally, Mitsubishi MELSEC CPUs have three reported flaws that could allow threat actors to compromise usernames, access devices, and deny access to legitimate users. Among them are: exposure of sensitive information (CVE-2021-20594, CVSS 5.9); insufficiently protected credentials (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).

As a result of the issues, Mitsubishi is developing mitigations and workarounds. Nevertheless, CISA says these devices can’t be updated with a fix. Firewalls, remote access limitations, and IP address restrictions are recommended for administrators with these devices in their networks.

“Mitsubishi Electric has released the fixed version … but updating the product to the fixed version is not available,” the advisory said. “CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability.”

Share this post

Stay tuned

“There are only two types of companies: those that have been hacked, and those that will be.” – Robert Mueller

Twitter Linkedin Telegram Instagram

Copyright 2025 © All rights Reserved. Design by Elementor