CVE-2016-8370 Mitsubishielectric CVE debrief

Who should care

Industrial control system operators, plant engineers, OT security teams, and anyone managing Mitsubishi Electric MELSEC-Q environments with QJ71E71-100, QJ71E71-B5, or QJ71E71-B2 Ethernet interface modules.

Technical summary

NVD lists this as CVE-2016-8370 with CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N and CWE-327. The core issue is that passwords are transmitted using weak encryption to the PLC over the network, creating a confidentiality risk for credentials that may be observed in transit. The NVD CPEs mark the affected firmware entries as vulnerable for all versions of the listed modules.

Defensive priority

High

Recommended defensive actions

• Review the referenced ICS-CERT advisory ICSA-16-336-03 and any vendor guidance for this issue.
• Restrict and segment network access to affected Mitsubishi Electric PLCs and their Ethernet interface modules.
• Limit exposure of OT management traffic to trusted engineering workstations and tightly controlled network paths.
• Monitor PLC-related network segments for unauthorized access attempts or unexpected credential-related traffic.
• Apply any vendor-provided mitigation, update, or replacement guidance identified in the official advisory before restoring broader network access.

Evidence notes

This debrief is based only on the supplied NVD record and linked references. The record was published on 2017-02-13 and modified on 2026-05-13. NVD lists the affected firmware CPEs for Mitsubishi Electric QJ71E71-100, QJ71E71-B5, and QJ71E71-B2 as vulnerable for all versions, and maps the weakness to CWE-327. The supplied references include a SecurityFocus BID entry and the ICS-CERT advisory ICSA-16-336-03. No fixed remediation version was provided in the supplied corpus.

Official resources