Thai Do

**Name of the Vulnerable Software and Affected Versions** Mitsubishi Electric MELSEC iQ-F Series CPU module (affected versions not specified) **Description** A missing authentication feature in the MODBUS/TCP implementation of the Mitsubishi Electric MELSEC iQ-F Series CPU module allows a remote, unauthenticated attacker to read or write device values and stop program operation. The vulnerability stems from the lack of authentication features within the MODBUS/TCP protocol used by the product. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module (affected versions not specified) **Description** A cleartext transmission issue exists in the Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module. A remote, unauthenticated attacker can intercept SLMP communication messages to obtain credential information. This allows the attacker to read or write device values and potentially stop program operations. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module (affected versions not specified) Description: An improper handling of a length parameter inconsistency exists in the web server function of the product. This allows a remote, unauthenticated attacker to delay processing of the web server function and prevent legitimate users from utilizing it by sending a specially crafted HTTP request. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Mitsubishi Electric MELSEC iQ-F Series (affected versions not specified) Description: The software contains an overly restrictive account lockout mechanism. A remote, unauthenticated attacker can lockout legitimate users by repeatedly attempting to log in with incorrect passwords. This prevents legitimate users from logging in for a specific duration or until the product is reset. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.