Mitsubishi Electric MELSOFT Update Manager (Update B)

Act NowCVSS 8.2ICS-CERT ICSA-25-184-03Jul 3, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionRequired

Summary

Integer underflow (CWE-191) and improper restriction of rendered UI layers (CWE-693) in MELSOFT Update Manager versions 1.000A through 1.012N allow local users with standard privileges to execute arbitrary code with elevated permissions. Successful exploitation could enable code execution, information disclosure, information tampering, or denial of service.

What this means

What could happen

An attacker with local access and low-level user privileges could execute arbitrary code with elevated permissions on the MELSOFT Update Manager, potentially compromising connected industrial control systems or causing process interruptions.

Who's at risk

Organizations using Mitsubishi Electric industrial control systems should prioritize this fix. The MELSOFT Update Manager is used by control system engineers and OT staff to deploy firmware updates to PLCs, drives, and other industrial devices. Utilities, manufacturers, and any facility running Mitsubishi-based automation are affected. The vulnerability impacts the engineering workstations and servers where updates are staged before deployment to the plant floor.

How it could be exploited

An attacker with local access to a machine running MELSOFT Update Manager could exploit integer underflow or improper restriction of rendered UI layers to execute arbitrary commands. This could happen if the attacker gains access to an engineering workstation, laptop, or server where the Update Manager is installed, or through a malicious file loaded during the update process.

Prerequisites

Local access to the machine running MELSOFT Update Manager
Low-level user account (PR:L indicates standard user privileges)
User interaction to trigger the vulnerability (e.g., opening a file, initiating an action)

actively exploited (KEV)high CVSS (8.2)high EPSS score (52.4%)local code execution with elevated privilegeslow attack complexityaffects software supply chain for ICS updates

Exploitability

Actively exploited — confirmed by CISA KEV

Public Proof-of-Concept (PoC) on GitHub (7 repositories)

Affected products (1)

ProductAffected VersionsFix Status

MELSOFT Update Manager SW1DND-UDM-M: >=1.000A|<=1.012N≥ 1.000A|≤ 1.012N1.013P+

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXUpdate MELSOFT Update Manager to version 1.013P or later

HARDENINGRestrict physical and network access to machines running MELSOFT Update Manager to authorized personnel only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGDisable MELSOFT Update Manager on systems that do not require active updates, or run it on isolated machines with minimal network connectivity

CVEs (2)

CVE-2024-11477 CVE-2025-0411

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c35906db-fe11-4c4b-89bc-7370fca72523

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.