{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1874", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "dateReserved": "2026-02-04T04:08:41.166Z", "datePublished": "2026-03-03T06:46:21.526Z", "dateUpdated": "2026-04-24T07:24:38.061Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2026-04-24T07:24:38.061Z"}, "title": "Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet module", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation", "type": "CWE"}]}], "impacts": [{"descriptions": [{"lang": "en", "value": "Denial-of-Service"}]}], "affected": [{"vendor": "Mitsubishi Electric Corporation", "product": "MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP", "versions": [{"status": "affected", "version": "versions 1.106 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP", "versions": [{"status": "affected", "version": "versions 1.000 and prior"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery."}]}], "references": [{"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf", "tags": ["vendor-advisory"]}, {"url": "https://jvn.jp/vu/JVNVU93286687/", "tags": ["government-resource"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01", "tags": ["government-resource"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 8.7, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-03T14:35:32.565171Z", "id": "CVE-2026-1874", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:35:41.328Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1874", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-03T14:35:32.565171Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-03T14:35:36.790Z"}}], "cna": {"title": "Denial-of-Service (DoS) vulnerability in Ethernet function of MELSEC iQ-F Series EtherNet/IP module and Ethernet module", "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Denial-of-Service"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mitsubishi Electric Corporation", "product": "MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP", "versions": [{"status": "affected", "version": "versions 1.106 and prior"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP", "versions": [{"status": "affected", "version": "versions 1.000 and prior"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf", "tags": ["vendor-advisory"]}, {"url": "https://jvn.jp/vu/JVNVU93286687/", "tags": ["government-resource"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.", "supportingMedia": [{"type": "text/html", "value": "Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-670", "description": "CWE-670 Always-Incorrect Control Flow Implementation"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2026-04-24T07:24:38.061Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1874", "state": "PUBLISHED", "dateUpdated": "2026-04-24T07:24:38.061Z", "dateReserved": "2026-02-04T04:08:41.166Z", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "datePublished": "2026-03-03T06:46:21.526Z", "assignerShortName": "Mitsubishi"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:melsec_iq-f_fx5-eip_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "CA5DF40B-18EF-4115-9AE8-A64F3607CA7A", "versionEndIncluding": "1.000", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:melsec_iq-f_fx5-eip:-:*:*:*:*:*:*:*", "matchCriteriaId": "D941E7FD-DC6C-413B-B08C-A4CE18C2D7F9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:mitsubishielectric:melsec_iq-f_fx5-enet\\/ip_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "9D2B0F6C-6AD2-4A95-9492-FE7D048A665F", "versionEndIncluding": "1.106", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:mitsubishielectric:melsec_iq-f_fx5-enet\\/ip:-:*:*:*:*:*:*:*", "matchCriteriaId": "C52725C6-F540-4F35-BEA0-1F72B42C0729", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Always-Incorrect Control Flow Implementation vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versions 1.106 and prior and Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to the products. A system reset of the product is required for recovery."}, {"lang": "es", "value": "Vulnerabilidad de implementaci\u00f3n de flujo de control siempre incorrecto en Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP versiones 1.106 y anteriores y Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP todas las versiones permite a un atacante remoto causar una condici\u00f3n de denegaci\u00f3n de servicio (DoS) en los productos al enviar continuamente paquetes UDP a los productos. Se requiere un reinicio del sistema del producto para la recuperaci\u00f3n."}], "id": "CVE-2026-1874", "lastModified": "2026-05-04T14:27:25.257", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}, "published": "2026-03-03T07:16:10.067", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory"], "url": "https://jvn.jp/vu/JVNVU93286687/"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Third Party Advisory"], "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["Vendor Advisory"], "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-670"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.106]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "manual", "scores": [{"score": 100.0, "source": "manual"}]}, "original": {"product": "MELSEC iQ-F Series FX5-ENET/IP Ethernet Module FX5-ENET/IP", "source": "cna", "vendor": "Mitsubishi Electric Corporation"}, "product": "melsec_iq-f_series_fx5-enet/ip_ethernet_module_fx5-enet/ip", "vendor": "mitsubishi_electric"}, {"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 81.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 81.0, "source": "matching"}]}, "original": {"product": "MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP", "source": "cna", "vendor": "Mitsubishi Electric Corporation"}, "product": "melsec_iq-f_series_fx5-enet_ip", "vendor": "mitsubishi_electric"}], "analysis": {"en": {"generated_at": "2026-04-28T17:35:07.515589+00:00", "value": {"mitigation_remediation": ["Update the firmware or software on all affected FX5\u2011EIP and FX5\u2011ENET/IP modules to the latest Mitsubishi\u2011Electric release that corrects the UDP handling flaw.", "Configure network perimeter devices or firewalls to block unsolicited UDP traffic destined for the IP addresses of the affected modules, permitting only traffic from known, authorized control systems.", "As a temporary measure, isolate the modules on a dedicated, VLAN\u2011segmented network segment with strict access controls, and if possible disable or rate\u2011limit all non\u2011essential UDP services until a patch is applied."], "summary": {"action": "Apply Patch", "impact": "Remote Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Mitsubishi Electric\u2019s MELSEC iQ\u2011F Series FX5\u2011EIP EtherNet/IP Module FX5\u2011EIP (all released versions) and the FX5\u2011ENET/IP Ethernet Module FX5\u2011ENET/IP versions up to and including 1.106. Network engineers must verify that any deployed devices of these models are within this version range.", "description_and_impact": "An always\u2011incorrect control flow implementation (CWE\u2011670) in Mitsubishi Electric\u2019s MELSEC iQ\u2011F Series FX5\u2011ENET/IP Ethernet Module FX5\u2011ENET/IP versions 1.106 and prior, and the FX5\u2011EIP EtherNet/IP Module FX5\u2011EIP versions 1.000 and prior, permits a remote attacker to trigger a denial\u2011of\u2011service condition by repeatedly sending UDP packets to the device. The continuous flood causes internal state corruption and results in a persistent DoS that can only be recovered through a system reset.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high impact on availability, while the EPSS value of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in CISA\u2019s KEV catalog, and no authentication is required, meaning any unauthenticated actor can trigger the DoS by sending crafted UDP packets over the network."}}}}, "created": "2026-03-04T21:04:05.480509+00:00", "updated": "2026-04-28T17:45:16.122739+00:00", "vendors": ["mitsubishi_electric", "mitsubishi_electric$PRODUCT$melsec_iq-f_series_fx5-enet/ip_ethernet_module_fx5-enet/ip", "mitsubishi_electric$PRODUCT$melsec_iq-f_series_fx5-enet_ip"]}