Mitsubishi Electric Europe B.V. smartRTU

Act Now9.8ICS-CERT ICSA-25-105-09Apr 15, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric smartRTU version 3.37 and earlier contain missing access control vulnerabilities (CWE-306, CWE-78) in the web interface. A remote unauthenticated attacker can exploit these to read, modify, or delete operational data and configuration, or cause denial of service. The vulnerability affects energy sector devices used for remote monitoring and control of electrical infrastructure.

What this means

What could happen

An attacker could access the smartRTU remotely without credentials, read or modify critical configuration and operational data, delete information, or crash the device, disrupting remote monitoring and control of electrical infrastructure.

Who's at risk

Energy utilities and grid operators using Mitsubishi Electric smartRTU devices for remote generation, substation, or distribution monitoring and control. Any facility relying on smartRTU for telemetry, SCADA integration, or operational visibility is at risk.

How it could be exploited

An attacker on any network with access to the smartRTU's HTTP/HTTPS web interface (typically port 80 or 443) can send malicious requests without authentication due to missing access controls. No special tools or knowledge of the device's configuration is required beyond network reachability.

Prerequisites

Network access to HTTP/HTTPS ports on the smartRTU (typically 80/443)
No valid credentials required
Device must be internet-accessible or reachable from compromised network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects critical infrastructure operations

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (1)

ProductAffected VersionsFix Status

smartRTU: <=3.37≤ 3.37No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDUse firewall rules to block unauthorized network access to smartRTU HTTP/HTTPS ports; restrict to trusted IP ranges only

HARDENINGDeploy a web application firewall (WAF) to monitor and block malicious HTTP/HTTPS traffic to the smartRTU

HARDENINGRequire VPN or secure tunnel for any remote access to smartRTU; do not expose web interface directly to the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for and report any suspicious HTTP/HTTPS activity targeting the smartRTU to CISA

Mitigations - no patch available

0/1

smartRTU: <=3.37 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate smartRTU on a LAN with access controls; block inbound connections from untrusted networks

CVEs (2)

CVE-2025-3232 CVE-2025-3128

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d123ea8c-2ab6-4c8c-9087-12ab19261646