Mitsubishi Electric Europe smartRTU OS Command Injection
CVE-2025-3128

9.3CRITICAL

Key Information:

Vendor

Mitsubishi Electric Europe

Status
Smartrtu
Vendor
CVE Published:
21 August 2025

What is CVE-2025-3128?

A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.

Affected Version(s)

smartRTU 0 <= 3.37

References

https://emea.mitsubishielectric.com/fa/products/quality/q...
https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Noam Moshe of Claroty Team82 reported this vulnerability to CISA.
.
CVE-2025-3128 : Remote Command Execution Vulnerability in Mitsubishi Electric SmartRTU