Mitsubishi Electric Europe B.V. smartRTU

Plan PatchCVSS 9.8ICS-CERT ICSA-25-105-09Apr 15, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric smartRTU contains multiple vulnerabilities (CWE-306: Missing Authentication, CWE-78: Improper Neutralization of Special Elements used in an OS Command) that allow remote unauthenticated attackers to disclose, modify, destroy, or delete information in the product, or cause denial-of-service conditions. Affected versions: smartRTU 3.37 and earlier.

What this means

What could happen

An attacker with network access to the smartRTU could read or modify configuration data and sensor values, delete critical data stored on the device, or crash the RTU causing loss of remote monitoring and control of field devices. This directly impacts situational awareness and operational response capabilities in energy infrastructure.

Who's at risk

Energy utilities operating Mitsubishi Electric smartRTU devices, which are remote terminal units used for monitoring and controlling distributed field equipment like pumps, switches, and sensors in power generation, transmission, and distribution networks. Also affects water utilities with similar SCADA infrastructure.

How it could be exploited

An attacker sends unauthenticated HTTP/HTTPS requests to the smartRTU web interface over the network. Due to missing authentication checks and improper input handling, the attacker can execute arbitrary commands or manipulate data without providing credentials or valid authentication tokens.

Prerequisites

Network connectivity to the smartRTU web interface (typically port 80/443)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects operational technologyno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.4%

Affected products (1)

ProductAffected VersionsFix Status

smartRTU: <=3.37≤ 3.37No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGRestrict network access to the smartRTU web interface to trusted networks only using firewall rules; block all inbound HTTP/HTTPS traffic from untrusted or external networks

HARDENINGDeploy a Web Application Firewall (WAF) in front of the smartRTU to filter, monitor, and block malicious HTTP/HTTPS traffic

HARDENINGIf Internet access to the smartRTU is required, establish a VPN tunnel and allow web client access only through the VPN from a restricted set of trusted administrative hosts

Mitigations - no patch available

0/1

smartRTU: <=3.37 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGSegment the smartRTU onto a dedicated OT network with minimal connectivity to corporate IT networks and external systems

CVEs (2)

CVE-2025-3232 CVE-2025-3128

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d123ea8c-2ab6-4c8c-9087-12ab19261646

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.