An improper validation of a specified quantity in input data allows a remote unauthenticated attacker to send specially crafted UDP packets to affected Mitsubishi Electric CC‑Link IE TSN modules, resulting in a DoS condition where the device may crash or become unresponsive. The weakness is identified as CWE-1284. The impact is limited to service availability, with no known impact on confidentiality or integrity. The vulnerability is triggered by malformed UDP packets that fail to be properly checked before use, leading to resource exhaustion or a fault in the packet handling logic.

The affected products include Mitsubishi Electric Corporation CC‑Link IE TSN Remote I/O modules, CC‑Link IE TSN Analog‑Digital Converter modules, CC‑Link IE TSN Digital‑Analog Converter modules, CC‑Link IE TSN FPGA modules, CC‑Link IE TSN Remote Station Communication LSI CP620 with GbE‑PHY, CC‑Link IE TSN Master/Local Station Communication LSI CP610, and MELSEC iQ‑F Series FX5 master/local and Ethernet modules. Specific versions are not disclosed in the advisory.

The CVSS score of 7.5 denotes a moderate severity, while an EPSS score of less than 1 % indicates a very low current exploitation probability. The vulnerability is not listed in CISA’s KEV catalog, suggesting no documented attacks so far. The likely attack vector is a remote network attacker who can reach the device’s UDP port without authentication, sending crafted packets. Given the moderate severity and low exploitation likelihood, immediate patching is recommended, and a graceful degradation path should be considered while awaiting a vendor update.