OTPulse

Mitsubishi Electric MELSEC-Q Series CPU Module

MonitorCVSS 6.8ICS-CERT ICSA-25-266-02Sep 23, 2025
Mitsubishi ElectricEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A denial-of-service vulnerability exists in Mitsubishi Electric MELSEC-Q Series CPU modules with serial numbers between 24082 and 27081. Successful exploitation allows an attacker to cause the CPU module to stop responding to normal control commands. The vulnerability requires high attack complexity to exploit. Mitsubishi Electric has fixed the issue in units with serial number 27082 or later, but updated firmware for existing systems is not currently available for download.

What this means
What could happen
An attacker with network access to an affected Mitsubishi MELSEC-Q Series PLC could cause it to stop responding, halting all processes controlled by that CPU until it is manually restarted.
Who's at risk
This affects energy utilities and manufacturers running Mitsubishi MELSEC-Q Series PLC CPU modules, including Q03UDVCPU, Q04UDVCPU, Q04UDPVCPU, Q06UDVCPU, Q06UDPVCPU, Q13UDVCPU, Q13UDPVCPU, Q26UDVCPU, and Q26UDPVCPU units. Any facility using these modules for process control, power distribution automation, or critical facility management should verify their hardware serial numbers.
How it could be exploited
An attacker on the same network segment as the PLC sends a specially crafted network packet to trigger an internal error in the CPU module. This causes the PLC to enter a denial-of-service state where it no longer processes normal control commands or communications.
Prerequisites
  • Network access to the PLC on the same LAN or via routing if exposed to untrusted networks
  • No authentication required
  • High attack complexity (specific conditions must be met to trigger the vulnerability)
remotely exploitableno authentication requiredaffects industrial PLCspatch availability delayed (units with serial 27082+ not yet available for existing deployments)high attack complexity
Exploitability
Unlikely to be exploited — EPSS score 0.3%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
MELSEC-Q Series Q03UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q04UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q04UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q06UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q13UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q26UDVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q06UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
MELSEC-Q Series Q13UDPVCPU: >=The_first_5_digits_of_serial_No._'24082'|<'27081'≥ The first 5 digits of serial No. '24082'|<'27081'Serial number '27082'+
Remediation & Mitigation
0/5
Do now
0/1
WORKAROUNDRestrict network access to all MELSEC-Q Series PLCs using a firewall. Block incoming traffic to the PLC from any network that is not essential for operations.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXCheck the serial number of your MELSEC-Q Series CPU modules. If the first 5 digits are in the range 24082 to 27081, request replacement units from Mitsubishi Electric with serial numbers starting with 27082 or later.
Long-term hardening
0/3
HARDENINGImplement network segmentation: isolate the PLC on a separate industrial network segment that cannot be reached from office networks or the internet.
HARDENINGRestrict physical access to the PLC and to any engineering workstations or network devices that connect to it.
HARDENINGIf remote access to the PLC is required for maintenance or monitoring, use a VPN connection and ensure the VPN is updated to the latest version available.
View full CISA ICS-CERT advisory
API: /api/v1/advisories/221927de-8184-4102-a08e-0d307639b2e1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Mitsubishi Electric MELSEC-Q Series CPU Module | CVSS 6.8 - OTPulse