CVE-2026-1874 identifies a critical vulnerability in Mitsubishi Electric Corporation's MELSEC iQ-F Series FX5-ENET/IP Ethernet Module (versions 1.106 and prior) and all versions of the FX5-EIP EtherNet/IP Module. The vulnerability is classified under CWE-670, which pertains to Always-Incorrect Control Flow Implementation, indicating a fundamental flaw in the module's control flow logic. Specifically, the affected modules improperly handle incoming UDP packets, allowing a remote attacker to continuously send such packets and trigger a denial-of-service (DoS) condition. This DoS causes the modules to become unresponsive, necessitating a system reset to restore normal operation. The vulnerability is remotely exploitable without any authentication or user interaction, increasing its risk profile. The CVSS 4.0 base score is 8.7 (high severity), reflecting the ease of exploitation (network attack vector, low complexity) and the significant impact on availability. The vulnerability affects critical industrial communication modules used in Mitsubishi's MELSEC iQ-F Series programmable logic controllers (PLCs), which are widely deployed in industrial automation environments. No patches or mitigations have been officially released at the time of publication, and no known exploits have been observed in the wild. The flaw could be leveraged by attackers to disrupt industrial processes, potentially causing operational downtime and safety risks in manufacturing, energy, and infrastructure sectors.

The primary impact of CVE-2026-1874 is a denial-of-service condition on Mitsubishi MELSEC iQ-F Series Ethernet modules, which are integral components in industrial control systems (ICS). Disruption of these modules can halt communication between PLCs and other networked devices, leading to operational downtime, loss of process control, and potential safety hazards in critical infrastructure environments such as manufacturing plants, energy grids, water treatment facilities, and transportation systems. The lack of authentication and user interaction requirements means attackers can exploit this vulnerability remotely and at scale if network access is available. This could enable attackers to cause widespread disruption, especially in environments where these modules are deployed in large numbers or in critical control loops. Additionally, forced system resets may cause temporary loss of monitoring and control data, complicating incident response and recovery. While no known exploits are currently reported, the high CVSS score and ease of attack vector suggest a significant risk if weaponized. The vulnerability could also be leveraged as part of multi-stage attacks targeting industrial environments, increasing the potential for cascading failures.

Given the absence of official patches, organizations should implement immediate network-level mitigations to reduce exposure. This includes segmenting industrial control networks from corporate and external networks using firewalls and network access controls to restrict UDP traffic to only trusted sources. Deploy intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection tuned to identify unusual UDP packet floods targeting the affected modules. Network administrators should monitor for abnormal UDP traffic patterns and implement rate limiting where feasible. Physical or logical isolation of critical PLCs and their communication modules can further reduce attack surface. Organizations should engage with Mitsubishi Electric for timely updates and patches and plan for prompt deployment once available. Additionally, incident response plans should be updated to include procedures for handling DoS conditions on these modules, including safe system reset protocols. Regular backups of PLC configurations and process data are recommended to facilitate recovery. Finally, consider vendor consultation for potential firmware workarounds or mitigations.