OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC-Q Series CPU Module

Monitor6.8ICS-CERT ICSA-25-266-02Sep 23, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A vulnerability in Mitsubishi Electric MELSEC-Q Series CPU modules (Q03UDVCPU, Q04UDVCPU, Q06UDVCPU, Q13UDVCPU, Q26UDVCPU, Q04UDPVCPU, Q06UDPVCPU, Q13UDPVCPU, Q26UDPVCPU) allows an attacker to cause a denial of service (DoS). The vulnerability affects units manufactured from early August 2024 (serial number starting with '24082') through late July 2027 (before '27082'). The issue has high attack complexity and is not currently being exploited.

What this means
What could happen
An attacker with network access could crash or halt the CPU module, causing the PLC to stop processing control logic and potentially shutting down critical plant operations such as power generation, distribution, or water treatment.
Who's at risk
This vulnerability affects energy sector operators running Mitsubishi Electric MELSEC-Q Series PLCs manufactured between August 2024 and July 2027. This includes power generation and distribution utilities, water treatment authorities, and industrial facilities using these common mid-range CPU modules for critical automation and control. Any organization relying on Q03, Q04, Q06, Q13, or Q26 series CPUs is potentially at risk.
How it could be exploited
An attacker sends a specially crafted network packet to the CPU module's Ethernet port, exploiting improper input validation (CWE-130). The high attack complexity suggests the attacker must either craft the packet very precisely or have knowledge of specific network conditions, but no credentials or prior system access is required.
Prerequisites
  • Network access to the CPU module's Ethernet interface (port 502 or other Modbus TCP port likely required)
  • No authentication required
  • High attack complexity (specific packet crafting or network conditions needed)
Remotely exploitableNo authentication requiredHigh attack complexityNo patch currently availableAffects critical infrastructure control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
MELSEC-Q Series Q03UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q04UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q04UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q06UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q13UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q26UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q06UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
MELSEC-Q Series Q13UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082' or later
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGCheck the serial number of your MELSEC-Q CPU modules. Units with serial numbers starting with '24082' through '27081' are vulnerable. Only modules with serial numbers starting with '27082' or later contain the fix.
WORKAROUNDDeploy a firewall or access control list (ACL) to block unauthorized network traffic to the CPU module. Restrict communication to only known engineering workstations and HMI systems that require legitimate access.
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGIsolate the MELSEC-Q series PLCs from the corporate network and the internet. Ensure the control system operates on a dedicated, air-gapped or VPN-protected LAN.
HARDENINGRestrict physical access to all CPU modules and to any computer or network device that can connect to them (engineering laptops, gateway devices, Ethernet switches).
Long-term hardening
0/1
HARDENINGPlan a migration strategy to the MELSEC iQ-R Series (the successor platform) if the affected MELSEC-Q units cannot be replaced with fixed serial number units. This is a long-term strategic action.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/221927de-8184-4102-a08e-0d307639b2e1
Mitsubishi Electric MELSEC-Q Series CPU Module | CVSS 6.8 - OTPulse