CVE-2019-6535 in Q03
Summary
by MITRE
Mitsubishi Electric Q03/04/06/13/26UDVCPU: serial number 20081 and prior, Q04/06/13/26UDPVCPU: serial number 20081 and prior, and Q03UDECPU, Q04/06/10/13/20/26/50/100UDEHCPU: serial number 20101 and prior. A remote attacker can send specific bytes over Port 5007 that will result in an Ethernet stack crash.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/27/2025
The vulnerability identified as CVE-2019-6535 affects Mitsubishi Electric programmable logic controllers including the Q03, Q04, Q06, Q13, Q26UDVCPU models and related Q04, Q06, Q13, Q26UDPVCPU devices along with Q03UDE and Q04, Q06, Q10, Q13, Q20, Q26, Q50, Q100UDEHCPU series. These industrial control systems operate in critical infrastructure environments where reliability and security are paramount. The affected devices are configured with serial numbers up to and including 20081 for certain models and 20101 for others, indicating a specific firmware version range where the vulnerability exists. This vulnerability represents a significant concern for operational technology environments as it enables remote code execution through network-based attacks targeting industrial control systems.
The technical flaw manifests in the Ethernet stack implementation of these Mitsubishi PLC devices, specifically when processing data received on port 5007. An attacker can exploit this vulnerability by sending specifically crafted byte sequences to the designated network port, which causes the Ethernet stack to crash and potentially leads to a complete system failure. The vulnerability stems from inadequate input validation and buffer handling within the network protocol stack implementation, allowing malformed data to trigger unexpected behavior in the device's network processing components. This type of vulnerability falls under CWE-129 Input Validation and CWE-121 Stack-based Buffer Overflow categories, representing a classic network protocol exploitation vector that can lead to denial of service conditions.
The operational impact of this vulnerability extends beyond simple service disruption, as it can compromise the availability of critical industrial control systems. When the Ethernet stack crashes, the PLC may become unresponsive, preventing normal control operations and potentially leading to production line shutdowns or safety system failures. In industrial environments where these devices control manufacturing processes, chemical plants, or power generation systems, such an attack could result in significant financial losses, safety hazards, or regulatory compliance issues. The remote nature of the attack means that adversaries do not require physical access to the devices, making the vulnerability particularly dangerous for environments where industrial networks are connected to corporate networks or the internet. This vulnerability aligns with ATT&CK technique T1210 Exploitation of Remote Services, demonstrating how industrial control systems can be targeted through network-based attacks.
Mitigation strategies for CVE-2019-6535 should include immediate firmware updates from Mitsubishi Electric addressing the specific Ethernet stack implementation issues. Network segmentation and access controls should be implemented to restrict access to port 5007, limiting the attack surface and preventing unauthorized access to these critical control systems. Organizations should also implement network monitoring to detect suspicious traffic patterns on port 5007 and establish incident response procedures for handling potential exploitation attempts. Additionally, regular vulnerability assessments of industrial control systems should be conducted to identify similar vulnerabilities in other network services and protocols. The vulnerability highlights the importance of secure network design principles for industrial environments and the necessity of maintaining current security patches for operational technology systems.