Mitsubishi Electric Corporation MELSEC iQ-F Series CPU module (Update A)

Monitor5.3ICS-CERT ICSA-25-233-01Aug 21, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MELSEC iQ-F Series CPU modules contain a vulnerability in the web server function that allows a remote attacker to cause a denial of service by sending specially crafted HTTP requests. Successful exploitation prevents legitimate users from accessing the web interface for remote monitoring and configuration. The vulnerability affects multiple FX5 series CPU module variants including FX5U, FX5UC, FX5UJ, and FX5S models. Mitsubishi Electric has determined there are no plans to release a patched version for this vulnerability.

What this means

What could happen

An attacker could send specially crafted HTTP requests to the PLC's web interface to overload it, preventing legitimate operators from accessing the web-based monitoring and configuration functions and potentially disrupting remote operations.

Who's at risk

Energy sector operators using Mitsubishi Electric MELSEC iQ-F Series CPU modules (FX5U, FX5UC, FX5UJ, FX5S variants) for process automation and control should be concerned. These PLCs often control critical infrastructure operations like power distribution, generation, and industrial processes. Any disruption to their web interface could prevent remote diagnostics and emergency reconfiguration.

How it could be exploited

An attacker on the network sends malicious HTTP requests to the web server port on the MELSEC iQ-F CPU module. The crafted requests cause the web server to hang or become unresponsive, blocking access for legitimate users trying to monitor or configure the device remotely via its web interface.

Prerequisites

Network access to the web server port on the MELSEC CPU module (typically port 80 or 443)
The CPU module's web server function must be enabled
No authentication is required to trigger the denial of service

remotely exploitableno authentication requiredlow complexityno patch availableaffects web server availability on control systems

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (75)

75 pending

ProductAffected VersionsFix Status

MELSEC iQ-F Series CPU module FX5U-32MT/ES: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/DS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/ESS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MT/DSS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series CPU module FX5U-32MR/ES: >=1.060≥ 1.060No fix yet

Remediation & Mitigation

0/6

Do now

0/3

HARDENINGDisable or restrict network access to the web server function if remote web monitoring is not required

WORKAROUNDDeploy firewall rules to block HTTP/HTTPS traffic from untrusted networks to the MELSEC CPU module

WORKAROUNDEnable and configure the IP filter function on the CPU module to restrict access to only trusted engineering workstations and monitoring systems

Long-term hardening

0/3

HARDENINGIsolate MELSEC CPU modules on a segregated LAN separate from internet-connected business networks

HARDENINGIf remote access is required, use a VPN with strong authentication to tunnel all access to the CPU modules

HARDENINGRestrict physical access to the MELSEC CPU modules and the local area network they are connected to

CVEs (1)

CVE-2025-5514

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c0277c81-32f6-48c8-8748-a61c1a14b8b9