CVE-2026-1875 Overview
An Improper Resource Shutdown or Release vulnerability (CWE-404) exists in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module. This vulnerability allows a remote attacker to cause a denial-of-service (DoS) condition on affected products by continuously sending UDP packets to the target device. This is a critical vulnerability affecting industrial control systems (ICS) that are commonly deployed in manufacturing and critical infrastructure environments.
The vulnerability stems from improper handling of network resources when processing UDP traffic, causing resource exhaustion that renders the device unresponsive. A system reset of the product is required for recovery, which can lead to significant operational disruptions in industrial environments.
Critical Impact
Remote attackers can disrupt industrial operations by causing a complete denial of service on affected EtherNet/IP modules. Recovery requires a manual system reset, leading to potential production downtime and safety concerns in critical infrastructure environments.
Affected Products
- Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module (all versions)
Discovery Timeline
- 2026-03-03 - CVE-2026-1875 published to NVD
- 2026-03-04 - Last updated in NVD database
Technical Details for CVE-2026-1875
Vulnerability Analysis
This vulnerability exists in the network communication handling layer of the MELSEC iQ-F Series FX5-EIP EtherNet/IP Module. The flaw is classified as CWE-404 (Improper Resource Shutdown or Release), which occurs when the affected device fails to properly release system resources after processing network packets.
The vulnerability is exploitable remotely over a network connection without requiring authentication or user interaction. The impact is limited to availability, meaning an attacker cannot read or modify data, but can completely disrupt the device's operation. Given the industrial control system (ICS) context, this poses significant risks to operational technology (OT) environments where continuous availability is critical for manufacturing processes and safety systems.
Root Cause
The root cause is improper resource management in the module's UDP packet processing logic. When the device receives a sustained flood of UDP packets, it fails to properly release allocated resources, leading to resource exhaustion. This design flaw means the device cannot gracefully handle high volumes of network traffic, ultimately causing it to become unresponsive.
The vulnerability is particularly concerning because:
- No authentication is required to exploit it
- The attack can be launched remotely over the network
- Recovery requires physical intervention (system reset)
- The affected component is used in industrial automation environments
Attack Vector
The attack vector is network-based, requiring an attacker to have network access to the vulnerable device. The attacker continuously sends UDP packets to the FX5-EIP module, exploiting the improper resource release mechanism. Over time, this causes the module to exhaust its available resources and enter a denial-of-service state.
The attack is straightforward to execute as it requires only basic networking capabilities and no special privileges or authentication. An attacker with network visibility to the industrial control network can launch this attack using standard UDP flooding techniques.
The vulnerability affects EtherNet/IP communications, which is a common industrial protocol. Organizations should ensure proper network segmentation between IT and OT environments to limit exposure. For detailed technical information, see the CISA ICS Advisory ICSA-26-62-01 and the Mitsubishi Electric Security Advisory.
Detection Methods for CVE-2026-1875
Indicators of Compromise
- Unusual volume of UDP traffic directed at FX5-EIP EtherNet/IP Module devices
- Unresponsive FX5-EIP modules requiring manual system resets
- Network anomalies showing sustained UDP packet floods from internal or external sources
- Communication failures between PLCs and EtherNet/IP modules in the MELSEC iQ-F Series
Detection Strategies
- Implement network traffic monitoring to detect abnormal UDP traffic patterns targeting industrial control devices
- Configure IDS/IPS rules to alert on sustained UDP packet floods directed at EtherNet/IP ports (typically UDP port 2222 and TCP port 44818)
- Monitor device health metrics for FX5-EIP modules to detect availability issues before complete service disruption
- Establish baseline network behavior for OT environments and alert on significant deviations
Monitoring Recommendations
- Deploy network monitoring solutions at the boundary between IT and OT networks to detect potential attack traffic
- Enable logging on network devices to capture traffic patterns for forensic analysis
- Implement asset inventory and monitoring for all MELSEC iQ-F Series devices to track availability status
- Consider deploying industrial-aware intrusion detection systems that understand EtherNet/IP protocol semantics
How to Mitigate CVE-2026-1875
Immediate Actions Required
- Isolate affected FX5-EIP modules from untrusted networks using proper network segmentation
- Implement firewall rules to restrict UDP traffic to only authorized sources
- Enable rate limiting on network devices to prevent UDP flood attacks from reaching industrial control devices
- Review network architecture to ensure defense-in-depth controls are in place for OT environments
- Monitor the Mitsubishi Electric PSIRT page for security updates
Patch Information
At the time of this publication, all versions of the FX5-EIP EtherNet/IP Module are affected. Organizations should monitor Mitsubishi Electric's security advisories for patch availability. In the interim, implement the recommended workarounds and network-level mitigations to reduce exposure.
For official vendor guidance, refer to:
Workarounds
- Implement network segmentation to isolate industrial control systems from general IT networks and the internet
- Deploy firewalls with strict access control lists limiting UDP traffic to the FX5-EIP modules
- Enable rate limiting and traffic shaping to prevent flood-based attacks from reaching critical OT devices
- Consider deploying a VPN or other secure remote access solution if remote access to the control network is required
# Example firewall rule to restrict UDP access to EtherNet/IP module
# Replace 192.168.1.100 with your FX5-EIP module IP
# Replace 10.0.0.0/24 with your authorized management network
# iptables example - allow UDP only from authorized sources
iptables -A INPUT -d 192.168.1.100 -p udp -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -p udp -j DROP
# Rate limit UDP connections to prevent flood attacks
iptables -A INPUT -d 192.168.1.100 -p udp -m limit --limit 100/sec --limit-burst 200 -j ACCEPT
iptables -A INPUT -d 192.168.1.100 -p udp -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
