OTPulse
FeedAboutContact

Mitsubishi Electric MELSEC iQ-F Series

Monitor5.3ICS-CERT ICSA-25-317-01Nov 13, 2025
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Mitsubishi Electric MELSEC iQ-F Series PLCs contain a vulnerability (CWE-1284) that allows an attacker with network access to cause a denial-of-service condition on the affected product. An attacker can send malformed input that the device fails to properly handle, causing the PLC to crash or become unresponsive. No patch is available from Mitsubishi Electric for any version of the affected models.

What this means
What could happen
An attacker with network access to an affected PLC could trigger a denial-of-service condition that halts the device, interrupting automated processes until manual intervention restarts it.
Who's at risk
Energy utilities and any industrial facility using Mitsubishi Electric MELSEC iQ-F Series PLCs (FX5U, FX5UC, FX5UJ, and FX5S models) for process automation and control. This includes water treatment plants, power generation facilities, and any equipment relying on these PLCs for critical operations.
How it could be exploited
An attacker on the network reachable by the PLC sends a specially crafted packet or request to the device. The device fails to properly handle the malformed input, crashes, or enters an unresponsive state (denial of service).
Prerequisites
  • Network access to the PLC on its active network port
  • No authentication required
remotely exploitableno authentication requiredno patch availablelow complexity
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (83)
83 pending
ProductAffected VersionsFix Status
FX5U-32MT/ES: vers:all/*All versionsNo fix yet
FX5U-32MT/DS: vers:all/*All versionsNo fix yet
FX5U-32MT/ESS: vers:all/*All versionsNo fix yet
FX5U-32MT/DSS: vers:all/*All versionsNo fix yet
FX5U-64MT/DS: vers:all/*All versionsNo fix yet
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HARDENINGRestrict physical access to the PLC and the LAN it is connected to, limiting who can reach the device network
HARDENINGMonitor network traffic to the PLC for unusual or malformed packets that could trigger a denial-of-service condition
Long-term hardening
0/2
HARDENINGUse a VPN to encrypt communication if the PLC must be accessed over the internet
HARDENINGImplement network segmentation to isolate the PLC on a separate VLAN from general IT networks and untrusted external connections
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1dfa9b3a-f140-4d8e-96ae-84ee2a190400
Mitsubishi Electric MELSEC iQ-F Series | CVSS 5.3 - OTPulse