Mitsubishi Electric MELSEC iQ-F Series

MonitorCVSS 5.3ICS-CERT ICSA-25-317-01Nov 13, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in Mitsubishi Electric MELSEC iQ-F Series PLCs (CWE-1284) allows an attacker to send a specially crafted packet over the network that causes the PLC to enter a denial-of-service state and stop responding. The affected product lines include FX5U, FX5UC, FX5UJ, and FX5S models across all versions. Mitsubishi Electric has not released a patch and no fix is planned for these end-of-life or legacy products. Mitigation requires network segmentation and access control.

What this means

What could happen

An attacker with network access to a MELSEC iQ-F Series PLC could send a specially crafted packet to cause the device to stop responding, interrupting the automation process controlled by that PLC until it is manually restarted.

Who's at risk

This affects energy sector operators using Mitsubishi Electric MELSEC iQ-F Series PLCs (FX5U, FX5UC, FX5UJ, FX5S families). These compact PLCs are commonly used for pump control, motor starters, process monitoring, and facility automation in water utilities and electric utilities. Affected models include the FX5U-32/64/80 series, FX5UC series, FX5UJ series, and FX5S series in both standard and communication module variants.

How it could be exploited

An attacker on the same network or with network connectivity to the PLC sends a malicious network packet to the device. The PLC processes this packet incorrectly, enters a denial-of-service state, and stops responding to commands until manually restarted.

Prerequisites

Network access to the PLC on its Ethernet port
No credentials or authentication required

remotely exploitableno authentication requiredlow complexityno patch available

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (83)

83 pending

ProductAffected VersionsFix Status

FX5U-32MT/ES: vers:all/*All versionsNo fix yet

FX5U-32MT/DS: vers:all/*All versionsNo fix yet

FX5U-32MT/ESS: vers:all/*All versionsNo fix yet

FX5U-32MT/DSS: vers:all/*All versionsNo fix yet

FX5U-64MT/DS: vers:all/*All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGRestrict network access to PLCs by implementing firewall rules that allow only authorized engineering workstations and control systems to communicate with the PLC ports

HARDENINGUse a VPN to encrypt all remote communication when engineering staff require access to PLCs over the internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

WORKAROUNDMonitor the Mitsubishi Electric security advisory 2025-014 for any future updates or patches that may become available

Long-term hardening

0/2

HARDENINGRestrict physical access to PLCs and the LAN segments where they are deployed to authorized personnel only

HARDENINGSegment your industrial network so PLCs are isolated from general IT networks and internet-facing systems

CVEs (1)

CVE-2025-10259

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1dfa9b3a-f140-4d8e-96ae-84ee2a190400

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.