April 18, 2024 at 04:33PM
CISA issued a security advisory warning of vulnerabilities in Unitronics Vision Series PLCs and Mitsubishi Electric MELSEC iQ-R CPUs. Unitronics PLCs store passwords in a recoverable format, leaving them open to cyberattacks. Mitsubishi CPUs transmit passwords in cleartext and have flaws that could compromise device access. The advisory recommends defensive measures such as isolating devices and implementing firewalls.
From the meeting notes, it is clear that there are significant security vulnerabilities affecting industrial control systems devices, specifically the Unitronics Vision Series PLCs and the Mitsubishi Electric MELSEC iQ-R Series.
The Unitronics Vision Series PLCs are susceptible to remote exploits due to a vulnerability (CVE-2024-1480, CVSS score 8.7) where passwords are stored in a recoverable format. Unitronics has not collaborated with CISA to address this, leaving networks open to cyberattacks. The recommended safeguards include isolating the controllers from business networks, using firewalls, and employing secure methods such as virtual private networks (VPNs) for remote access.
The Mitsubishi Electric MELSEC iQ-R Series faces multiple vulnerabilities, including the transmission of passwords in cleartext (CVE-2021-20599, CVSS score 9.1) and flaws that could compromise usernames, access the device, and restrict access to legitimate users. Mitsubishi is working on mitigations and workarounds, but updates for the affected systems are not available. CISA suggests reinforcing defenses with firewalls, remote access limitations, and IP address restrictions.
In summary, the meeting notes highlight critical vulnerabilities in these industrial control systems devices and the recommended protective measures to mitigate the associated risks.