Mitsubishi Electric MELSEC iQ-F Series

View CSAF

1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Mitsubishi Electric Equipment: MELSEC iQ-F Series Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input
2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions: FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285 This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery. CVE-2025-3755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Mitsubishi Electric reported this vulnerability to CISA.
4. MITIGATIONS Mitsubishi Electric recommends users take the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use within a LAN and block access from untrusted networks and hosts through firewalls. Use IP filter function to block access from untrusted hosts. Restrict physical access to the affected products and the LAN that is connected by them. For details on the IP filter function, please refer to the following manual for each product. “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication) Please download the manual from the following URL: https://www.mitsubishielectric.com/fa/download/index.html For more information, see Mitsubishi Electric advisory 2025-003. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. CISA also recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
5. UPDATE HISTORY June 3, 2025: Initial Republication of Mitsubishi Electric 2025-003