Vulnerability Details : CVE-2020-13238
Mitsubishi MELSEC iQ-R Series PLCs with firmware 33 allow attackers to halt the industrial process by sending an unauthenticated crafted packet over the network, because this denial of service attack consumes excessive CPU time. After halting, physical access to the PLC is required in order to restore production.
Vulnerability category: Denial of service
Products affected by CVE-2020-13238
- cpe:2.3:o:mitsubishielectric:melsec_iq-r00cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r01cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r02cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r04cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r08cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r16cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r32cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r120cpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r08fcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r16fcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r32fcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r120fcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r08pcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r16pcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r32pcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r120pcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r08sfcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r16sfcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r32sfcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-r120sfcpu_firmware:*:*:*:*:*:*:*:*
- cpe:2.3:o:mitsubishielectric:melsec_iq-rj71en71_firmware:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-13238
0.31%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 70 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-13238
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.8
|
HIGH | AV:N/AC:L/Au:N/C:N/I:N/A:C |
10.0
|
6.9
|
NIST | |
7.5
|
HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
3.9
|
3.6
|
NIST |
CWE ids for CVE-2020-13238
-
The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.Assigned by: nvd@nist.gov (Primary)
References for CVE-2020-13238
-
https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2020-001_en.pdf
MITSUBISHI ELECTRIC Global websiteVendor Advisory
-
https://www.us-cert.gov/ics/advisories/icsa-20-161-02
Mitsubishi Electric MELSEC iQ-R series | CISAThird Party Advisory;US Government Resource
-
http://jvn.jp/vu/JVNVU97662844/index.html
JVNVU#97662844: 三菱電機製 MELSEC iQ-R シリーズの Ethernet ポートにおけるリソース枯渇の脆弱性Third Party Advisory
Jump to