Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module (Update A)

MonitorCVSS 5.3ICS-CERT ICSA-25-233-01Aug 21, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability exists in the web server function of Mitsubishi Electric MELSEC iQ-F Series CPU modules. An attacker can send a specially crafted HTTP request that causes the web server to delay or stop responding, preventing legitimate users from accessing the device's web interface for monitoring and configuration. Affected models include FX5U, FX5UC, FX5UJ, and FX5S variants. Mitsubishi Electric has advised there are no plans to release a fixed version for any affected product.

What this means

What could happen

An attacker with network access to the web server function on these PLCs could send a crafted HTTP request to cause a denial-of-service (DoS) condition, blocking legitimate users and potentially disrupting web-based monitoring or control of the device.

Who's at risk

Water utilities, electric power distribution systems, and other critical infrastructure operators running Mitsubishi Electric MELSEC iQ-F series programmable logic controllers (PLCs), including FX5U, FX5UC, FX5UJ, and FX5S CPU modules. Any facility that relies on web-based remote monitoring or configuration of these PLCs is affected.

How it could be exploited

An attacker on the network sends a specially crafted HTTP request to the PLC's web server (typically port 80 or 443). The malformed request causes the web server process to delay or hang, making it unavailable to legitimate users trying to access the device remotely for monitoring or configuration.

Prerequisites

Network access to the PLC's web server port (80 or 443)
The web server function must be enabled on the PLC
No authentication is typically required to send an HTTP request

remotely exploitableno authentication requiredlow complexityno patch availableaffects control system operations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (75)

75 pending

ProductAffected VersionsFix Status

MELSEC iQ-F Series CPU module FX5U-32MT/ES: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/DS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/ESS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/DSS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MR/ES: >=1.060≥ 1.060No fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement firewall rules to restrict access to the PLC's web server ports (80/443) to only authorized engineering workstations and monitoring systems

WORKAROUNDConfigure the IP filter function on the PLC to block HTTP/HTTPS traffic from untrusted networks or hosts (see 'IP Filter Function' in the MELSEC iQ-F FX5 User's Manual for Communication)

WORKAROUNDIf remote web access is not required, disable the web server function on the PLC

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIf remote access is required, deploy a VPN concentrator and require all web access to the PLC to go through the VPN with additional authentication

Long-term hardening

0/1

HARDENINGRestrict physical access to the affected PLCs and the network cables connected to them to minimize unauthorized hands-on access

CVEs (1)

CVE-2025-5514

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0277c81-32f6-48c8-8748-a61c1a14b8b9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.