CVE-2021-20598

Name of the Vulnerable Software and Affected Versions Mitsubishi Electric MELSEC iQ-R series CPU modules versions R08/16/32/120SFCPU all versions Mitsubishi Electric MELSEC iQ-R series CPU modules versions R08/16/32/120PSFCPU all versions

Description The issue is related to an overly restrictive account lockout mechanism in the Mitsubishi Electric MELSEC iQ-R series CPU modules. This allows a remote unauthenticated attacker to lock out a legitimate user by continuously trying to log in with an incorrect password. The exploitation of this issue can enable a remote attacker to block a user's account by sequentially entering a known username and incorrect password.

Recommendations For Mitsubishi Electric MELSEC iQ-R series CPU modules versions R08/16/32/120SFCPU all versions, consider implementing a temporary workaround to limit the number of incorrect login attempts. For Mitsubishi Electric MELSEC iQ-R series CPU modules versions R08/16/32/120PSFCPU all versions, restrict access to the login functionality until a fix is available. As a temporary mitigation measure, consider disabling the login feature for the affected CPU modules until a patch is released.