Mitsubishi Electric MELSEC iQ-F Series CPU Module

Monitor7.5ICS-CERT ICSA-25-240-02Aug 28, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The MELSEC iQ-F Series CPU modules contain a vulnerability that allows credential theft via unencrypted SLMP (Seamless Message Protocol) communication. An attacker who captures SLMP traffic can extract embedded credential information and use it to authenticate to the PLC, then read or write device values and stop program execution. The vulnerability exists because SLMP credentials are transmitted in cleartext by default. Mitsubishi Electric has no plans to release a patch.

What this means

What could happen

An attacker who intercepts SLMP communication messages can steal credentials and use them to read, write, or modify device values on the PLC, potentially altering process setpoints or halting production. Since no patch is available from the vendor, this vulnerability will remain in affected systems indefinitely.

Who's at risk

Energy sector operators using Mitsubishi Electric MELSEC iQ-F Series PLCs (FX5S, FX5U, FX5UC, FX5UJ models) should be concerned. These PLCs are commonly used in substations, generation facilities, and distribution automation. The vulnerability affects all versions with no patch available, so all current deployments are vulnerable.

How it could be exploited

An attacker with network access to the same LAN segment as the PLC can capture unencrypted SLMP protocol traffic, extract embedded credentials from the messages, and then use those credentials to authenticate to the PLC and execute commands that alter or stop program execution.

Prerequisites

Network access to the LAN segment where the PLC is connected
Ability to capture and inspect SLMP traffic on that network segment
SLMP communication is not encrypted (default configuration)

No patch available from vendorLow attack complexity (sniffing unencrypted traffic)Remotely exploitable over networkAffects process control (potential for program halt or modification)Affects all product versions indefinitely

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (75)

75 pending

ProductAffected VersionsFix Status

MELSEC iQ-F Series FX5S-30MT/ESS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-30MT/DSS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/ES: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/DS: vers:all/*All versionsNo fix yet

MELSEC iQ-F Series FX5S-40MT/ESS: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGEnable encryption for all SLMP communication using a virtual private network (VPN) or similar tunneling mechanism

HARDENINGRestrict physical and logical access to the LAN connected to affected MELSEC iQ-F PLCs

HARDENINGEnsure affected PLCs are not accessible from the internet or untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGIsolate control system networks from business networks using network segmentation and firewalls

Long-term hardening

0/1

HARDENINGImplement network monitoring to detect unauthorized SLMP traffic or credential misuse

CVEs (1)

CVE-2025-7731

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c1d72e75-1a70-47ac-aa4d-69e0c10170cd