Mitsubishi Electric has disclosed an integer overflow vulnerability in the EtherNet/IP module of its MELSEC iQ-F Series programmable logic controllers, affecting all firmware versions up to and including 1.000. The flaw, tracked as CVE-2026-8805, carries a CVSS v3.1 base score of 7.5 (HIGH) and a CVSS v4.0 score of 8.7 (HIGH).
Vulnerability Details
The vulnerability resides in the EtherNet/IP communication function of the FX5-EIP module. An unauthenticated remote attacker can exploit the flaw by rapidly opening a large number of TCP connections to the device. This exhausts or corrupts the module’s internal connection management state, ultimately triggering improper memory access and causing a denial-of-service (DoS) condition. No authentication or user interaction is required, and the attack vector is fully network-accessible, making this a credible risk for any internet-exposed or improperly segmented deployment.
The weakness is classified under CWE-190 (Integer Overflow or Wraparound). Affected hardware is deployed worldwide in critical manufacturing environments.
Affected Products
- MELSEC iQ-F Series FX5-EIP EtherNet/IP Module, firmware version 1.000 and earlier
Remediation
Mitsubishi Electric has released firmware version 1.001 to address the vulnerability. Administrators should download the update from the vendor’s software download portal and apply it promptly. Mitsubishi Electric self-reported this vulnerability to CISA.
Interim Mitigations
For operators unable to patch immediately, Mitsubishi Electric recommends a layered set of compensating controls:
- Isolate the affected module within a LAN and block access from untrusted networks using firewalls.
- Use the module’s built-in IP filter function to restrict connections to known, trusted hosts (documented in section 13.1 of the MELSEC iQ-F FX5 User’s Manual, Communications).
- Require VPN access for any remote connectivity, and ensure VPN software is kept current.
- Restrict physical access to the module and any connected PCs or network equipment.
- Deploy endpoint anti-virus software on hosts that interact with the affected device.
CISA echoes standard ICS hardening guidance: keep control system networks off the public internet, segment them from business networks, and conduct thorough risk assessments before deploying mitigations.