Skip to main content
CVE Vulnerability Database

CVE-2024-0802: MELSEC CPU Module RCE Vulnerability

CVE-2024-0802 is a remote code execution vulnerability in Mitsubishi Electric MELSEC-Q and MELSEC-L Series CPU modules. Attackers can exploit this flaw to read sensitive data or execute malicious code. Learn about affected versions and mitigation.

Published:

CVE-2024-0802 Overview

CVE-2024-0802 is an Incorrect Pointer Scaling vulnerability affecting Mitsubishi Electric Corporation MELSEC-Q Series and MELSEC-L Series CPU modules. This vulnerability allows a remote unauthenticated attacker to read arbitrary information from a target product or execute malicious code on a target product by sending a specially crafted packet.

Critical Impact

This vulnerability enables remote code execution and arbitrary memory read capabilities without authentication, posing severe risks to Industrial Control Systems (ICS) and critical infrastructure environments utilizing affected Mitsubishi Electric programmable logic controllers.

Affected Products

  • Mitsubishi Electric Corporation MELSEC-Q Series CPU modules
  • Mitsubishi Electric Corporation MELSEC-L Series CPU modules

Discovery Timeline

  • March 15, 2024 - CVE-2024-0802 published to NVD
  • November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2024-0802

Vulnerability Analysis

This vulnerability stems from CWE-468: Incorrect Pointer Scaling, a memory corruption class of vulnerability that occurs when pointer arithmetic is performed incorrectly, leading to unintended memory access. In the context of MELSEC-Q and MELSEC-L Series CPU modules, this flaw enables attackers to manipulate memory addresses beyond intended boundaries.

The vulnerability is particularly dangerous in industrial control system (ICS) environments because these CPU modules are commonly deployed in manufacturing, utilities, and critical infrastructure sectors. Successful exploitation requires no authentication, making any network-accessible device an immediate target. An attacker can leverage this vulnerability to either extract sensitive operational data through arbitrary memory reads or achieve code execution to take control of the industrial process.

Root Cause

The root cause of CVE-2024-0802 lies in incorrect pointer scaling within the affected CPU modules' firmware. When processing specially crafted network packets, the modules perform pointer arithmetic operations without proper validation. The pointer scaling error occurs when the size of the data type being pointed to is not correctly accounted for during address calculations. This results in accessing memory locations that fall outside the intended buffer boundaries, enabling both information disclosure and potential code execution scenarios.

Attack Vector

The attack vector for CVE-2024-0802 is network-based. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to the affected MELSEC CPU modules over the network. The attack does not require any user interaction, making it particularly dangerous for internet-exposed or inadequately segmented industrial networks.

The exploitation process involves:

  1. Identifying a network-accessible MELSEC-Q or MELSEC-L Series CPU module
  2. Crafting a malicious packet designed to trigger the incorrect pointer scaling
  3. Sending the packet to the target device to either read arbitrary memory contents or inject and execute malicious code

For detailed technical information regarding the vulnerability mechanics, refer to the CISA ICS Advisory ICSA-24-074-14 and the Mitsubishi Electric Security Advisory.

Detection Methods for CVE-2024-0802

Indicators of Compromise

  • Anomalous network traffic patterns targeting MELSEC CPU modules on industrial networks
  • Unexpected memory access errors or crashes on MELSEC-Q/L Series devices
  • Unusual outbound data transfers from PLCs to unknown destinations
  • Log entries indicating malformed packet processing on affected devices

Detection Strategies

  • Deploy network intrusion detection systems (IDS) with signatures specific to MELSEC protocol anomalies
  • Implement deep packet inspection for traffic destined to industrial control system networks
  • Monitor for unusual packet sizes or malformed requests targeting MELSEC CPU communication ports
  • Establish baseline network behavior profiles for MELSEC devices and alert on deviations

Monitoring Recommendations

  • Enable comprehensive logging on network devices segmenting ICS environments
  • Implement real-time monitoring of all network traffic to and from MELSEC CPU modules
  • Configure SIEM systems to correlate events across OT and IT network boundaries
  • Regularly audit network access logs for connections from unauthorized IP addresses

How to Mitigate CVE-2024-0802

Immediate Actions Required

  • Isolate affected MELSEC-Q and MELSEC-L Series CPU modules from untrusted networks immediately
  • Implement strict network segmentation between IT and OT environments
  • Apply access control lists (ACLs) to limit connections to affected devices to authorized systems only
  • Review and validate all firmware versions against the vendor security advisory

Patch Information

Mitsubishi Electric has published a security advisory addressing this vulnerability. Organizations should consult the Mitsubishi Electric Vulnerability Advisory PDF for specific firmware update information and patch availability for affected product models. Additionally, refer to the CISA ICS Advisory ICSA-24-074-14 for comprehensive mitigation guidance.

Workarounds

  • Place affected devices behind firewalls and restrict network access to only essential personnel and systems
  • Disable remote access capabilities when not operationally required
  • Use VPN connections for any necessary remote access to industrial control networks
  • Implement application-layer firewalls capable of inspecting and filtering MELSEC-specific protocols
bash
# Example network segmentation firewall rule (iptables)
# Restrict access to MELSEC devices to authorized management subnet only
iptables -A INPUT -s 192.168.100.0/24 -d 10.0.50.0/24 -p tcp --dport 5007 -j ACCEPT
iptables -A INPUT -d 10.0.50.0/24 -p tcp --dport 5007 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.