CISA Advisory Highlights Critical ICS Device Vulnerabilities with No Immediate Fixes


A recent security advisory issued by the Cybersecurity and Infrastructure Security Agency (CISA) has raised concerns over vulnerabilities affecting two industrial control systems (ICS) devices: Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R Series.

The advisory warns that Unitronics Vision Series PLCs are susceptible to remote exploitation due to storing passwords in a recoverable format, identified under CVE-2024-1480 with a CVSS score of 8.7. CISA noted that Unitronics has not collaborated with the agency to address this issue, leaving networks using these devices potentially vulnerable to cyberattacks. To mitigate risks, CISA recommends isolating these controllers from the internet, segregating them from business networks, deploying firewalls, and utilizing secure remote access methods such as virtual private networks (VPNs).

Meanwhile, vulnerabilities affecting Mitsubishi Electric Corporation's MELSEC iQ-R CPU Module include a design flaw (CVE-2021-20599, CVSS 9.1) that transmits passwords in cleartext, making them easily interceptable by malicious actors. Additionally, the Mitsubishi MELSEC CPUs are affected by multiple reported flaws, including exposure of sensitive information (CVE-2021-20594, CVSS 5.9), insufficiently protected credentials (CVE-2021-20597, CVSS 7.4), and a restrictive account lockout mechanism (CVE-2021-20598, CVSS 3.7).

Mitsubishi Electric is actively working on providing mitigations and workarounds for these vulnerabilities. However, according to CISA, updating affected systems with fixes is currently unavailable. Consequently, CISA advises administrators with these devices in their networks to reinforce defenses by implementing firewalls, restricting remote access, and applying IP address restrictions.

Despite efforts by Mitsubishi Electric to address the issues, users are urged to take defensive measures to minimize the risk of exploitation until a fix is made available.