Mitsubishi Electric MELSEC iQ-F Series

Monitor5.3ICS-CERT ICSA-25-184-04Jul 3, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC iQ-F PLCs. An attacker can repeatedly send incorrect login attempts to the device, causing it to lock out all users (including legitimate ones) for a period of time or until manual reset. This prevents plant operators from accessing the PLC for monitoring and control during the lockout. The vulnerability affects all versions of MELSEC iQ-F models (FX5U, FX5UC, FX5UJ, FX5S series) and CC-Link IE TSN modules. Mitsubishi Electric has announced no plans to release a firmware fix.

What this means

What could happen

An attacker can force a lockout of legitimate users by sending repeated failed login attempts to a MELSEC iQ-F PLC, preventing plant operators from accessing the device until a timeout expires or the device is manually reset.

Who's at risk

Energy sector organizations using Mitsubishi Electric MELSEC iQ-F series PLCs (FX5U, FX5UC, FX5UJ, FX5S models) and CC-Link IE TSN master modules. These devices are commonly used in power distribution, substation automation, and industrial process control in utilities and manufacturing.

How it could be exploited

An attacker with network access to the PLC sends repeated authentication requests with incorrect credentials. After a threshold of failed attempts, the PLC locks out all authentication (including valid users) for a period of time, blocking legitimate access and preventing engineering changes or monitoring during the lockout window.

Prerequisites

Network access to the PLC (port 502 for Modbus or native protocol port)
No credentials required to trigger lockout
PLC must have authentication enabled and be reachable from attacker's network

no patch availableremotely exploitableaffects all firmware versionsno authentication required to trigger lockoutdenial of service impact on plant operations

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (73)

73 pending

ProductAffected VersionsFix Status

FX5U-32MT/ES: vers:all/*All versionsNo fix yet

FX5U-32MT/DS: vers:all/*All versionsNo fix yet

FX5U-32MT/ESS: vers:all/*All versionsNo fix yet

FX5U-32MT/DSS: vers:all/*All versionsNo fix yet

FX5U-32MR/ES: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGBlock unauthorized network access using a firewall to restrict connections to the PLC from only trusted engineering workstations and remote access terminals

HARDENINGDeploy a VPN for all remote access to the PLC and restrict VPN access to authorized personnel only

HARDENINGUse the IP filter function built into the MELSEC iQ-F to whitelist only known trusted host IP addresses

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the PLC on a dedicated industrial LAN and prevent Internet routing to or from the device

Long-term hardening

0/1

HARDENINGRestrict physical access to the PLC and the network it is connected to, limiting physical hands-on access to authorized personnel

CVEs (1)

CVE-2025-5241

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b8b542f4-fda9-4f70-a6f5-df209327c6cd