Mitsubishi Electric MELSEC iQ-R Series

Plan PatchCVSS 9.4ICS-CERT ICSA-26-036-02Feb 5, 2026

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A protocol weakness in MELSEC iQ-R Series CPUs (R08/16/32/120PCPU) firmware versions 48 and earlier allows an attacker with network access to read control program data and device parameters, write data to device memory, or cause the controller to stop responding. The vulnerability is exploitable without valid credentials.

What this means

What could happen

An attacker could read control program logic and device data from your PLC, alter setpoints or parameters in memory, or cause the controller to stop responding, interrupting your process control.

Who's at risk

This affects Mitsubishi Electric MELSEC iQ-R Series CPUs (models R08, R16, R32, R120PCPU) used in energy sector process control systems. Operations personnel, automation engineers, and IT staff managing these controllers should prioritize this immediately.

How it could be exploited

An attacker with network access to the Ethernet port on the MELSEC iQ-R controller can send crafted packets to exploit a protocol weakness (CWE-1284: Improper Restriction of Serialized Data). No valid login credentials are required. The attack directly targets the firmware running on the CPU module.

Prerequisites

Network access to the Ethernet port of the MELSEC iQ-R CPU (ports R08/16/32/120PCPU)
No authentication or credentials required
Vulnerability present only in firmware version 48 or earlier

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.4)affects safety-critical control systemsread/write/denial-of-service impact

Exploitability

Unlikely to be exploited — EPSS score 0.0%

Affected products (1)

ProductAffected VersionsFix Status

MELSEC iQ-R Series R08/16/32/120PCPU firmware: <=48≤ 4849+

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDConfigure a firewall to block all inbound access to the MELSEC iQ-R Ethernet port from untrusted networks and hosts

HARDENINGEnable and configure the IP filter function on the MELSEC iQ-R controller to restrict which networks and hosts can communicate with the device (refer to section 1.13 Security in the MELSEC iQ-R Ethernet User's Manual)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate MELSEC iQ-R CPU module firmware to version 49 or later using Mitsubishi's engineering software and download the update file from https://www.mitsubishielectric.com/fa/download/index.html

Long-term hardening

0/1

HARDENINGRestrict physical access to the MELSEC iQ-R controller and the LAN cables connected to it

CVEs (1)

CVE-2025-15080

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54c14416-8457-42fa-83af-f232c42b0d40

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.