Mitsubishi Electric FREQSHIP-mini for Windows

Plan Patch8.8ICS-CERT ICSA-26-034-01Feb 3, 2026

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

FREQSHIP-mini for Windows versions 8.0.0 through 8.0.2 contain an improper access control vulnerability (CWE-276) that allows a local user with a standard account to read, modify, delete, or destroy files and data stored on the system. This could allow an attacker to tamper with drive configurations, engineering data, or software, or render the system unavailable. The vulnerability requires local login but no elevated privileges. A fix is available in version 8.1.0 or later.

What this means

What could happen

An attacker with local access to a FREQSHIP-mini system could modify or delete engineering data, configurations, or software used to control frequency drives and power systems, or cause the PC to become unavailable. This could disrupt motor control operations or prevent remote management of drive equipment.

Who's at risk

Energy utilities and industrial operators who use Mitsubishi Electric FREQSHIP-mini for Windows (versions 8.0.0–8.0.2) to configure, monitor, or troubleshoot frequency drives (VFDs) that control motors, pumps, compressors, or other plant equipment. This includes engineering workstations and maintenance PCs at power plants, substations, and manufacturing facilities.

How it could be exploited

An attacker who has gained local login access to a Windows PC running FREQSHIP-mini (versions 8.0.0 to 8.0.2) can exploit improper file permissions to read, modify, or delete sensitive files in the application directory or configuration folders. If the affected PC is used for remote management of frequency drives, the attacker could alter drive parameters or prevent legitimate engineers from accessing the system.

Prerequisites

Local login to the Windows PC running FREQSHIP-mini versions 8.0.0 to 8.0.2
Low-privilege or standard user account (not administrator)

Improper file permissions allow unauthorized modificationLow complexity to exploit once local access is gainedAffects safety-critical and reliability-critical equipment (motor drives)Requires local access but no special privileges

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

FREQSHIP-mini for Windows: >=8.0.0|<=8.0.2≥ 8.0.0|≤ 8.0.28.1.0 or later

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to FREQSHIP-mini PCs by blocking remote logins from untrusted networks and non-administrator users; allow remote login only for administrators via firewall or VPN rules

HARDENINGRestrict physical access to the PC running FREQSHIP-mini and its network connections to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate FREQSHIP-mini for Windows to version 8.1.0 or later from the Mitsubishi Electric download site

HARDENINGInstall and keep antivirus software updated on the FREQSHIP-mini PC to reduce the risk of initial compromise

CVEs (1)

CVE-2025-10314

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d43ac0a1-9397-469d-895b-364c482d1474