A security advisory issued this week by the Cybersecurity and Infrastructure Security Agency (CISA) alerts administrators to vulnerabilities in two industrial control system devices: Unitronics Vision Series and Mitsubishi Electric MELSEC iQ-R Series PLCs.
CISA warned that the Unitronics Vision Series PLC controller is open to remote exploits due to storing passwords in a recoverable format. This vulnerability (CVE-2024-1480) has been assigned a CVSS score of 8.7.
According to CISA, Unitronics did not respond or work with the agency to mitigate the issue, leaving networks with these devices open to cyberattacks. The advisory recommends ensuring that data controllers are not connected to the Internet by isolating them from company networks, protecting devices behind firewalls, and using secure methods, such as virtual private networks (VPNs), for remote access.
The rest ICS vulnerabilities affect the MELSEC iQ-R CPU module from Mitsubishi Electric Corporation. A CPU design flaw, tracked under CVE-2021-20599, was assigned a CVSS score of 9.1. The unit transmits passwords in clear text, which are easily intercepted by adversaries.
Mitsubishi MELSEC CPUs also host three reported flaws that could allow a threat actor to compromise usernames, access the device, and deny access to legitimate users. These include: exposure of sensitive information (CVE-2021-20594, CVSS 5.9); credentials not sufficiently protected (CVE-2021-20597, CVSS 7.4); and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).
Mitsubishi is working to provide mitigations and workarounds to the issues. However, according to CISA, systems with these devices cannot be updated with a fix. The agency advises administrators using these devices in their networks to strengthen defenses with firewalls, remote access limitations, and IP address restrictions.
“Mitsubishi Electric has released the fixed version… but the product upgrade to the fixed version is not available,” the notice reads. “CISA recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability.”