Mitsubishi leaves all FX5-ENET/IP modules without CVE-2026-8806 fix
For plant engineers, the practical control becomes permanent segmentation, IP filtering, and risk acceptance around a remotely exploitable availability hit.
TL;DR
CISA disclosed CVE-2026-8806, a high-severity denial-of-service flaw affecting all versions of Mitsubishi Electric's MELSEC iQ-F Series FX5-ENET/IP Ethernet Module. Mitsubishi says no fixed version is planned. Critical manufacturing operators, including defense-industrial-base manufacturers and contractors using the module, have to live with firewalling, LAN isolation, IP filtering, restricted physical access, and anti-virus controls on connected PCs as long-term mitigations. That turns a vulnerability advisory into an indefinite compensating-control requirement.
CISA disclosed CVE-2026-8806 in Mitsubishi Electric's MELSEC iQ-F Series FX5-ENET/IP Ethernet Module, and the operationally important line sits in the remediation field: No fix planned. The flaw affects all FX5-ENET/IP versions and can let a remote attacker stop the module's communication function by sending a large number of packets to the Ethernet port in a short period, raising processing load and preventing internal anomaly-detection processing from running. CISA lists CVSS 3.1 at 7.5 and CVSS 4.0 at 8.7, with critical manufacturing deployments worldwide.
That is a different posture from the normal ICS advisory rhythm. CISA's prior advisories for this same module line listed firmware fixes for earlier denial-of-service issues, including FX5-ENET/IP version 1.106 for CVE-2024-8403 in ICSA-24-324-01 and version 1.107 or later for CVE-2026-1874 and CVE-2026-1876 in ICSA-26-62-01. Here, the stated remediation is operational containment: use firewalls or VPNs when internet access is required, keep the product within a LAN, block untrusted networks and hosts, use the module's IP filter function, restrict physical access, and run anti-virus software on PCs that can access the module.
The work lands with the people who own production availability as much as the compliance group tracking the CVE. A prime or defense-industrial-base contractor running FX5-ENET/IP modules in a plant cannot close this with a firmware work order. It has to define which networks can reach the module, test whether filtering breaks legitimate engineering or monitoring traffic, document the compensating controls, and treat exceptions as explicit risk acceptance.
One caveat matters for readers who treat CISA ICS pages as engineering guidance. The advisory says it is a verbatim republication of Mitsubishi Electric 2026-003 from the vendor's Common Security Advisory Framework filing, provided by CISA to increase visibility. The unresolved questions are vendor-side: whether Mitsubishi changes its position on a fixed version or end-of-life path, and how much FX5-ENET/IP equipment sits inside U.S. critical infrastructure.
Published ·Deep Fathom