Mitsubishi Electric MELSEC iQ-F Series CPU Module

MonitorCVSS 7.3ICS-CERT ICSA-25-240-01Aug 28, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the MELSEC iQ-F series PLC allows an unauthenticated attacker on the network to read or write device values and stop programs. The flaw exists across multiple product families (FX5U, FX5UC, FX5UJ, FX5S) and all firmware versions of some variants, with no vendor patch planned. Mitsubishi Electric recommends network isolation, firewall protection, IP filtering, and VPN use for remote access.

What this means

What could happen

An attacker with network access to a MELSEC iQ-F PLC could read or modify control values and stop running automation programs, disrupting water treatment, power generation, or other critical industrial processes.

Who's at risk

Operators running Mitsubishi Electric MELSEC iQ-F series PLCs (FX5U, FX5UC, FX5UJ, FX5S product families) in water treatment, electric utilities, manufacturing, and other industrial automation environments. Any facility using these PLCs for critical process control is affected.

How it could be exploited

An attacker on the same network as the PLC (or reachable via exposed connectivity) can send commands without authentication to the PLC's network interface to access or modify device values and program execution state. No initial credentials or special equipment are required.

Prerequisites

Network access (direct or routed) to the PLC's Ethernet port
No authentication credentials required

No patch availableRemotely exploitableNo authentication requiredLow complexityAffects safety and process control systemsWide product range

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (75)

75 pending

ProductAffected VersionsFix Status

MELSEC iQ-F Series FX5UC-64MT/D: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series FX5UC-64MT/DSS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series FX5UC-96MT/D: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series FX5UC-96MT/DSS: >=1.060≥ 1.060No fix yet

MELSEC iQ-F Series FX5UC-32MT/DS-TS: >=1.060≥ 1.060No fix yet

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement firewall rules to block all inbound connections to the PLC from untrusted networks; allow only authorized engineering workstations and control systems

HARDENINGEnable IP filtering on the PLC itself using the IP Filter Function in the device to restrict access to known good hosts only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the PLC on a dedicated control network segment (VLAN) that does not route to corporate IT networks or the internet

HARDENINGIf internet connectivity to the PLC is required, deploy and configure a VPN to encrypt and authenticate remote access

Long-term hardening

0/1

HARDENINGRestrict physical access to the PLC and the network cables connected to it to prevent tampering

CVEs (1)

CVE-2025-7405

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0de4db1b-89e2-4498-8775-37e4eb7a25a6

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.