Integer Overflow DoS in Mitsubishi Electric MELSEC iQ‑F Series (CVE‑2026‑8805) Threatens Industrial Control Availability
What It Is — A newly disclosed integer overflow in the EtherNet/IP function of Mitsubishi Electric’s MELSEC iQ‑F Series FX5‑EIP module (≤ 1.000) can be triggered remotely to corrupt internal connection handling and cause a denial‑of‑service condition.
Exploitability — Public advisory from CISA; no public PoC, but the vulnerability is exploitable over the network (CVSS v3 7.5).
Affected Products — Mitsubishi Electric MELSEC iQ‑F Series, specifically the FX5‑EIP EtherNet/IP module.
Why It Matters for Compliance & Audit Readiness
- SOC 2 Availability – A DoS on OT equipment directly tests the Availability principle; auditors will look for evidence that you continuously monitor third‑party device health.
- Vendor‑Risk Management – The flaw resides in a third‑party hardware component; maintaining an up‑to‑date vendor‑risk register and remediation evidence is a SOC 2 control requirement.
- Continuous Evidence – Real‑time alerts from network‑traffic baselines and patch‑status dashboards provide the audit‑ready logs SOC 2 auditors expect.
Recommended Actions
- Verify firmware version on all MELSEC iQ‑F FX5‑EIP modules; apply Mitsubishi’s security patch or recommended mitigation.
- Update your vendor‑risk inventory to flag the affected hardware and document remediation status for SOC 2 evidence.
- Deploy network‑level rate‑limiting and anomaly‑detection rules to block connection‑flood attempts.
Source: CISA Advisory – ICSA‑26‑169‑05