Mitsubishi Electric MELSOFT Update Manager (Update B)

Act Now8.2ICS-CERT ICSA-25-184-03Jul 3, 2025

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

MELSOFT Update Manager SW1DND-UDM-M versions 1.000A through 1.012N contain multiple vulnerabilities (CWE-191: Integer Underflow, CWE-693: Protection Mechanism Failure) that could allow an attacker with local access to execute arbitrary code, disclose sensitive information, tamper with data, or cause denial of service. The vulnerability is actively being exploited in the wild.

What this means

What could happen

An attacker with local access to an engineering workstation running MELSOFT Update Manager could execute arbitrary code, potentially compromising the ability to manage and deploy firmware updates to Mitsubishi control systems. This could lead to unauthorized changes to production systems or inability to apply legitimate security patches.

Who's at risk

Organizations in the energy sector using Mitsubishi Electric control systems should review their engineering workstation inventory. Specifically, any technician or operations engineer who runs MELSOFT Update Manager to deploy firmware updates to programmable logic controllers (PLCs), inverters, or other Mitsubishi automation equipment is at risk. This is critical for organizations managing generation, transmission, or distribution systems.

How it could be exploited

An attacker with local access to a PC running vulnerable MELSOFT Update Manager (versions 1.000A–1.012N) exploits an integer underflow vulnerability while the user is interacting with the application. The attacker executes arbitrary code with the privileges of the logged-in user, which typically includes engineering workstation credentials. From there, the attacker could modify firmware packages or intercept update communications to deployed control systems.

Prerequisites

Local access to the engineering workstation where MELSOFT Update Manager is installed
Vulnerable MELSOFT Update Manager version (1.000A–1.012N) must be running
User interaction with the application (UI component required for exploitation)

actively exploited (KEV)local access required but low complexityhigh CVSS 8.2 scorehigh EPSS score (52.4%)affects engineering toolchain for safety-critical systems

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

MELSOFT Update Manager SW1DND-UDM-M: >=1.000A|<=1.012N≥ 1.000A|≤ 1.012N1.013P or later

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXImmediately update MELSOFT Update Manager to version 1.013P or later. Customers in Japan should download from Mitsubishi's Japanese download site (mitsubishielectric.co.jp/fa/download). Customers outside Japan should contact their local Mitsubishi Electric representative for the fixed version and installation instructions.

HARDENINGRestrict local access to engineering workstations running MELSOFT Update Manager to authorized personnel only. Implement physical security controls and account-based access restrictions.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate engineering workstations from general corporate network traffic. Ensure that any lateral movement from a compromised engineering station cannot reach production control systems.

CVEs (2)

CVE-2024-11477 CVE-2025-0411

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c35906db-fe11-4c4b-89bc-7370fca72523