Description
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.
Published: 2026-03-03
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Apply Update
AI Analysis

Impact

A flaw in the Ethernet module of Mitsubishi Electric’s MELSEC iQ‑F Series FX5‑ENET/IP triggers an improper resource shutdown when the device receives a sustained stream of UDP packets. The flaw causes the product to reset, resulting in a denial‑of‑service condition. The weakness is classified as CWE‑404, and based on the description it is inferred that no authentication or local access is required.

Affected Systems

All firmware versions of the MELSEC iQ‑F Series FX5‑ENET/IP Ethernet Module FX5‑ENET/IP from Mitsubishi Electric are affected. The vulnerability resides in the Ethernet function and applies to every variant of the module within the series.

Risk and Exploitability

The CVSS score of 8.7 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation in the current environment. The vulnerability is not listed in CISA’s catalog of known exploited vulnerabilities. Attackers could exploit this flaw from a remote location by sending crafted UDP packets, forcing the device to reset and disrupting critical industrial control processes. While the preferred mitigation is an official firmware update, temporary network‑level controls such as UDP rate limiting can reduce the impact, though they do not provide a complete fix. Consequently, the risk remains with devices still running affected firmware and exposed to UDP traffic.

Generated by OpenCVE AI on April 18, 2026 at 10:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Mitsubishi Electric’s PSIRT, as detailed in the 2025‑021 vulnerability PDF.
  • Implement network‑level filtering or rate limiting on UDP traffic destined for the device to reduce the impact of continuous packet injection.
  • Plan and schedule regular system resets or maintain isolation strategies to recover automatically should the device not recover from a DoS incident.

Generated by OpenCVE AI on April 18, 2026 at 10:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Mitsubishi Electric Corporation
Mitsubishi Electric Corporation melsec Iq-f Series Fx5-enet/ip Ethernet Module Fx5-enet/ip
Vendors & Products Mitsubishi Electric Corporation
Mitsubishi Electric Corporation melsec Iq-f Series Fx5-enet/ip Ethernet Module Fx5-enet/ip

Wed, 04 Mar 2026 08:30:00 +0000

Type Values Removed Values Added
References

Tue, 03 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 03 Mar 2026 07:30:00 +0000

Type Values Removed Values Added
Description Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP all versions allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.
Title Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series Ethernet module
Weaknesses CWE-404
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Mitsubishi Electric Corporation Melsec Iq-f Series Fx5-enet/ip Ethernet Module Fx5-enet/ip
cve-icon MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published:

Updated: 2026-03-04T08:25:07.248Z

Reserved: 2026-02-04T04:09:52.102Z

Link: CVE-2026-1876

cve-icon Vulnrichment

Updated: 2026-03-03T14:52:00.059Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-03T08:16:08.970

Modified: 2026-03-04T09:15:55.800

Link: CVE-2026-1876

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:15:25Z

Weaknesses