CVE-2026-1874 Mitsubishi Electric Corporation CVE debrief

Who should care

OT/ICS operators using Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP modules or FX5-ENET/IP Ethernet modules, especially plants where the devices are network-reachable beyond a tightly controlled LAN. Security teams responsible for industrial network segmentation, firmware management, and outage response planning should treat this as an availability risk.

Technical summary

The flaw is described as an always-incorrect control flow implementation issue in the Ethernet function of affected MELSEC iQ-F modules. The practical impact is availability-only: a remote attacker can trigger uncontrolled receive buffer consumption by sending UDP packets repeatedly, eventually causing denial of service. The advisory states that a system reset is required for recovery. Fixed firmware is available for FX5-ENET/IP (1.107 or later) and FX5-EIP (1.001 or later). Until patching is complete, Mitsubishi Electric recommends restricting exposure with firewalls/VPNs, limiting the devices to trusted LAN segments, using the product IP filter function, and tightening physical access to connected devices.

Defensive priority

High. This is remotely reachable, requires no authentication, affects industrial control equipment, and can cause operational outage with manual reset needed for recovery. Prioritize if the modules are internet-exposed, reachable across site networks, or used in critical production paths.

Recommended defensive actions

• Upgrade FX5-ENET/IP Ethernet modules to firmware version 1.107 or later.
• Upgrade FX5-EIP EtherNet/IP modules to firmware version 1.001 or later.
• If immediate patching is not possible, place the affected devices behind firewalls or a VPN and block untrusted access.
• Keep the affected modules on a trusted LAN segment and deny access from untrusted networks and hosts.
• Enable and configure the device IP filter function to restrict which hosts can reach the modules.
• Restrict physical access to the affected products and to the PCs and network devices connected to them.
• Apply your normal OT change-control and recovery planning, including validation that a system reset would be operationally safe if the issue is triggered.
• Review the Mitsubishi Electric advisory and the CISA ICS advisory for model-specific guidance and update history.

Evidence notes

All technical claims in this debrief are drawn from the supplied CISA CSAF source item and the linked Mitsubishi Electric advisory reference. The advisory states the vulnerability affects MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP <=1.000 and FX5-ENET/IP Ethernet Module FX5-ENET/IP <=1.106, with fixed versions 1.001+ and 1.107+ respectively. The source also states that continuous UDP packet transmission can cause uncontrolled receive buffer consumption and denial of service, and that recovery requires a system reset. Timing context uses the supplied CVE published date (2026-03-03) and modified date / Update A (2026-05-07).

Official resources