Mitsubishi Electric MELSEC iQ-F Series CPU Module

MonitorCVSS 7.5ICS-CERT ICSA-25-240-02Aug 28, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MELSEC iQ-F Series CPU modules (FX5S, FX5U, FX5UC, FX5UJ models) transmit SLMP communication messages without encryption or integrity protection. An attacker on the network can intercept these messages to extract credential information, then use those credentials to read or write device values and program states on the PLC. This could allow an attacker to disrupt or alter process control operations. All versions of the affected models are vulnerable, and Mitsubishi Electric has advised there are no plans to release a firmware patch.

What this means

What could happen

An attacker with network access to SLMP communication could capture credentials and use them to read/write device values or stop PLC operations, disrupting manufacturing, power generation, or other automated processes.

Who's at risk

Energy sector operators, including power utilities and equipment manufacturers, who deploy Mitsubishi Electric MELSEC iQ-F Series compact PLCs (FX5S, FX5U, FX5UC, FX5UJ models) for process control, generator control, or automation in power generation, distribution, or industrial facilities.

How it could be exploited

An attacker on the same network segment as the MELSEC iQ-F PLC intercepts unencrypted SLMP (Seamless Message Protocol) traffic to extract credentials. Using the captured credentials, the attacker authenticates to the PLC and issues commands to alter process values or halt program execution.

Prerequisites

Network access to SLMP protocol traffic (typically port 2000 or 2001 on Mitsubishi PLCs)
Unencrypted SLMP communication in use (no VPN or TLS encryption)
Ability to capture or sniff packets on the network segment where the PLC resides

No patch availableRemotely exploitableLow complexity exploitationNo authentication required to intercept SLMP trafficAffects critical industrial control devices (PLCs)Wide range of affected product models

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (75)

75 pending

ProductAffected VersionsFix Status

MELSEC iQ-F Series FX5S-30MT/ESS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-30MT/DSS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/ES: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/DS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/ESS: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGEncrypt all SLMP communication using a virtual private network (VPN) or VPN tunnel to protect credentials in transit

HARDENINGRestrict network access to SLMP ports (2000/2001) using firewall rules—allow only authorized engineering workstations and HMI systems

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGSegment the PLC network from business and untrusted networks using air-gap isolation or network firewalls to prevent unauthorized access

HARDENINGImplement network monitoring to detect suspicious SLMP traffic or attempted authentication from unauthorized sources

Long-term hardening

0/1

HARDENINGRestrict physical access to the LAN cables and switch ports connected to the MELSEC iQ-F PLC to prevent local packet capture attacks

CVEs (1)

CVE-2025-7731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1d72e75-1a70-47ac-aa4d-69e0c10170cd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.