OTPulse

Mitsubishi Electric MELSEC iQ-F Series

MonitorCVSS 5.3ICS-CERT ICSA-25-184-04Jul 3, 2025
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC iQ-F Series programmable logic controllers (PLCs) and CC-Link IE TSN communication modules. The PLC's authentication mechanism can be triggered to lock out all login attempts—including legitimate user attempts—when an attacker sends repeated failed login attempts with incorrect credentials. Once locked out, authorized personnel cannot access the PLC to manage control logic or process parameters until a timeout period expires or the device is manually reset. Mitsubishi Electric has stated there are no plans to release a fixed version for any affected model.

What this means
What could happen
An attacker could repeatedly attempt failed logins to lock out legitimate users from accessing the PLC for a period of time, preventing authorized personnel from managing or adjusting control logic and process parameters until the lockout expires or the device is manually reset.
Who's at risk
Energy sector organizations operating Mitsubishi Electric MELSEC iQ-F Series PLCs (FX5U, FX5UC, FX5UJ, FX5S models and CC-Link IE TSN modules) should implement network controls to protect these devices from unauthorized login attempts. This affects facility automation, process control, and electrical distribution systems in utilities and industrial plants.
How it could be exploited
An attacker with network access to the affected PLC sends multiple login attempts with incorrect credentials. The PLC's authentication mechanism responds by locking out all login attempts for a period, including legitimate user attempts, causing a temporary denial of service to authorized administrators.
Prerequisites
  • Network access to the PLC (port 502 or other access port)
  • No authentication required to trigger the lockout mechanism
  • Knowledge of the PLC's network address
no patch availableremotely exploitableaffects control system availabilitylow complexity attack
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (73)
73 pending
ProductAffected VersionsFix Status
FX5U-32MT/ES: vers:all/*All versionsNo fix yet
FX5U-32MT/DS: vers:all/*All versionsNo fix yet
FX5U-32MT/ESS: vers:all/*All versionsNo fix yet
FX5U-32MT/DSS: vers:all/*All versionsNo fix yet
FX5U-32MR/ES: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/3
HARDENINGRestrict network access to the PLC using a firewall to block login attempts from untrusted external networks and hosts
HARDENINGEnable the PLC's IP filter function to explicitly allow login attempts only from trusted engineering workstations and block all others
HARDENINGEnsure the PLC is not accessible from the Internet; connect it only to a protected internal LAN
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict physical access to the PLC and the LAN segment it is connected to
HARDENINGIf remote access to the PLC is required, deploy it through a VPN tunnel with strong authentication and keep VPN software updated to current versions
View full CISA ICS-CERT advisory
API: /api/v1/advisories/b8b542f4-fda9-4f70-a6f5-df209327c6cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.