OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC iQ-F Series

Act Now9.1ICS-CERT ICSA-25-153-03Jun 3, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in all Mitsubishi Electric MELSEC iQ-F Series PLC models (FX5U, FX5S, FX5UC, FX5UJ) allows an attacker to send specially crafted packets to read confidential information, cause denial-of-service conditions, or disrupt operations. The vulnerability can be exploited remotely without authentication. Mitsubishi Electric has not released a patch and states no fix is planned. Mitigation requires network isolation, firewall rules, and use of the PLC's built-in IP filter function to restrict access to authorized hosts only.

What this means
What could happen
An attacker on the network could read sensitive data from these Mitsubishi PLCs, cause them to stop responding, or disrupt control logic without authentication—potentially halting production processes at utilities or manufacturing facilities.
Who's at risk
This affects all users of Mitsubishi Electric MELSEC iQ-F Series PLCs (FX5U, FX5S, FX5UC, FX5UJ lines) across all firmware versions. Critical impact for water utilities, electric utilities, manufacturing plants, and any facility that relies on these PLCs for process control, pump operation, valve control, or safety interlocks.
How it could be exploited
An attacker sends specially crafted packets to the PLC on the network. The PLC processes these packets without requiring authentication or complex setup, allowing the attacker to extract information, trigger a denial-of-service condition, or halt operations.
Prerequisites
  • Network access to the affected PLC on port 502 (Modbus TCP) or proprietary Mitsubishi communication port
  • No authentication required
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (95)
95 pending
ProductAffected VersionsFix Status
FX5UC-32MT/DSS-TS: vers:all/*All versionsNo fix yet
FX5UC-32MR/DS-TS: vers:all/*All versionsNo fix yet
FX5UJ-24MT/ES: vers:all/*All versionsNo fix yet
FX5UJ-24MT/DS: vers:all/*All versionsNo fix yet
FX5UJ-24MT/ESS: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Do now
0/3
HARDENINGPlace affected PLCs behind a firewall that blocks all incoming traffic from untrusted networks; restrict access to authorized engineering and HMI workstations only.
WORKAROUNDEnable the IP filter function on each PLC to block traffic from unauthorized hosts and networks. Consult section 13.1 of the MELSEC iQ-F FX5 User's Manual (Communication).
HARDENINGUse a VPN or secure out-of-band channel for any remote access to these PLCs; do not expose them directly to the Internet.
Long-term hardening
0/1
HARDENINGRestrict physical access to the PLCs and the LAN cables connecting them to limit both local and remote attack surfaces.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e7ad6816-0306-48b5-8bbe-de26210485d3