Critical Vulnerabilities in Mitsubishi Electric's MELSEC iQ-F Series Expose Industrial Systems to Denial-of-Service Attacks
Executive Summary
In March 2026, Mitsubishi Electric disclosed multiple vulnerabilities in their MELSEC iQ-F Series EtherNet/IP and Ethernet modules, specifically FX5-ENET/IP and FX5-EIP models. These flaws, identified as CVE-2026-1874, CVE-2026-1875, and CVE-2026-1876, allow remote attackers to induce denial-of-service conditions by continuously sending UDP packets, rendering the devices unresponsive until a system reset is performed. The vulnerabilities affect FX5-ENET/IP versions up to 1.106 and all versions of FX5-EIP. (nvd.nist.gov)
This incident underscores the critical need for robust network security measures in industrial control systems, as such vulnerabilities can disrupt essential operations in critical manufacturing sectors worldwide. Organizations are advised to implement recommended mitigations, including updating firmware where available and employing network defenses to prevent unauthorized access. (cyber.gc.ca)
Why This Matters Now
The disclosure of these vulnerabilities highlights the ongoing risks in industrial control systems, emphasizing the urgency for organizations to assess and fortify their network defenses to prevent potential disruptions in critical manufacturing operations.
Attack Path Analysis
An attacker exploited vulnerabilities in the MELSEC iQ-F Series EtherNet/IP modules by sending continuous UDP packets, leading to a denial-of-service (DoS) condition. This attack disrupted the availability of the affected devices, requiring a system reset for recovery.
Kill Chain Progression
Initial Compromise
Description
The attacker identified and targeted vulnerabilities in the MELSEC iQ-F Series EtherNet/IP modules by sending continuous UDP packets, leading to a denial-of-service (DoS) condition.
Related CVEs
CVE-2026-1874
CVSS 8.7An always-incorrect control flow implementation vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module and FX5-EIP EtherNet/IP Module allows a remote attacker to cause a denial-of-service (DoS) condition by continuously sending UDP packets.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module – <=1.106
Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module – All versions
Exploit Status:
no public exploitCVE-2026-1875
CVSS 8.7An improper resource shutdown or release vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module allows a remote attacker to cause a denial-of-service (DoS) condition by continuously sending UDP packets.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module – All versions
Exploit Status:
no public exploitCVE-2026-1876
CVSS 8.7An improper resource shutdown or release vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module allows a remote attacker to cause a denial-of-service (DoS) condition by continuously sending UDP packets.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series FX5-ENET/IP Ethernet Module – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Network Denial of Service
Direct Network Flood
Reflection Amplification
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
NIST SP 800-53 – Denial of Service Protection
Control ID: SC-5
PCI DSS 4.0 – Ensure all system components are protected from known vulnerabilities
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Implement network segmentation and controls
Control ID: Pillar 3: Network and Environment
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Automotive
Critical Manufacturing sector faces DoS vulnerabilities in Mitsubishi MELSEC iQ-F industrial control systems, potentially disrupting production lines and automated manufacturing processes.
Oil/Energy/Solar/Greentech
Energy infrastructure using Mitsubishi EtherNet/IP modules vulnerable to UDP-based denial-of-service attacks affecting SCADA systems and operational technology networks.
Electrical/Electronic Manufacturing
Manufacturing operations dependent on industrial control systems face network segmentation risks and unencrypted traffic exposure in Ethernet/IP communication modules.
Utilities
Power grid and utility operations using affected MELSEC modules susceptible to remote DoS attacks requiring immediate firewall protection and network isolation measures.
Sources
- Mitsubishi Electric MELSEC iQ-F Series EtherNet/IP module and Ethernet modulehttps://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01Verified
- Multiple denial-of-service (DoS) vulnerabilities in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdfVerified
- CVE-2026-1874 Detailhttps://nvd.nist.gov/vuln/detail/CVE-2026-1874Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could limit the attacker's ability to exploit vulnerabilities in the MELSEC iQ-F Series EtherNet/IP modules by enforcing strict segmentation and identity-aware routing, thereby reducing the potential blast radius of such attacks.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit vulnerabilities in the MELSEC iQ-F Series EtherNet/IP modules would likely be constrained, limiting the potential for initiating a denial-of-service condition.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to exploit unauthenticated vulnerabilities would likely be constrained, reducing the risk of unauthorized access.
Control: East-West Traffic Security
Mitigation: While lateral movement was not observed in this incident, the implementation of East-West Traffic Security would likely constrain any future attempts by limiting unauthorized internal communications.
Control: Multicloud Visibility & Control
Mitigation: Although command and control channels were not established in this incident, Multicloud Visibility & Control would likely constrain such attempts by providing comprehensive monitoring and control over network traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Even though data exfiltration did not occur in this incident, Egress Security & Policy Enforcement would likely constrain such activities by controlling outbound data flows.
The implementation of Aviatrix Zero Trust CNSF would likely constrain the impact of such attacks by limiting the attacker's ability to disrupt device availability.
Impact at a Glance
Affected Business Functions
- Industrial Automation Control
- Manufacturing Operations
Estimated downtime: 2 days
Estimated loss: $50,000
n/a
Recommended Actions
Key Takeaways & Next Steps
- • Implement network segmentation to isolate critical devices and limit exposure to potential attacks.
- • Deploy intrusion prevention systems (IPS) to detect and block malicious traffic patterns indicative of DoS attacks.
- • Utilize firewalls and access control lists (ACLs) to restrict unauthorized access to networked devices.
- • Regularly update and patch devices to address known vulnerabilities and reduce the attack surface.
- • Conduct continuous monitoring and anomaly detection to identify and respond to unusual network activity promptly.
