CVE-2021-20597

CRITICAL

Mitsubishi Electric MELSEC iQ-R - Info Disclosure

Title source: llm

Description

Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series Safety CPU modules R08/16/32/120SFCPU firmware versions "26" and prior and Mitsubishi Electric MELSEC iQ-R series SIL2 Process CPU modules R08/16/32/120PSFCPU firmware versions "11" and prior allows a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network traffic and obtaining credentials when registering user information in the target or changing a password.

References (3)

Core 3

Core References

Third Party Advisory

https://jvn.jp/vu/JVNVU98578731/index.html

Vendor Advisory

https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2021-009_en.pdf

Third Party Advisory, US Government Resource

https://www.cisa.gov/uscert/ics/advisories/icsa-21-250-01

Scores

CVSS v3 9.1

EPSS 0.0089

EPSS Percentile 75.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Details

CWE

CWE-522

Status published

Products (8)

mitsubishielectric/r08psfcpu_firmware

mitsubishielectric/r08sfcpu_firmware

mitsubishielectric/r120psfcpu_firmware

mitsubishielectric/r120sfcpu_firmware

mitsubishielectric/r16psfcpu_firmware

mitsubishielectric/r16sfcpu_firmware

mitsubishielectric/r32psfcpu_firmware

mitsubishielectric/r32sfcpu_firmware

Published Aug 06, 2021

Tracked Since Feb 18, 2026