Overly Restrictive Account Lockout Mechanism in Mitsubishi Electric MELSEC iQ-F Series
CVE-2025-5241

5.3MEDIUM

Key Information:

Vendor: Mitsubishi Electric Corporation
Status: Melsec Iq-f Series Fx5u-32mt/es; Melsec Iq-f Series Fx5u-32mt/ds; Melsec Iq-f Series Fx5u-32mt/ess; Melsec Iq-f Series Fx5u-32mt/dss
Vendor: CVE Published:; 11 July 2025

🔔 Create Mitsubishi Electric Corporation Vulnerability Alert

What is CVE-2025-5241?

The MELSEC iQ-F Series by Mitsubishi Electric exhibits a vulnerability where an adversary can exploit an overly restrictive account lockout mechanism. A remote unauthenticated attacker can initiate repeated login attempts with incorrect passwords, leading to a temporary lockout of legitimate users. This results in users being unable to access their accounts until the lockout period expires or the device is reset. Such a vulnerability can severely disrupt operations, making systems susceptible to denial-of-service attacks.

Affected Version(s)

MELSEC iQ-F Series FX5-CCLGN-MS All versions

MELSEC iQ-F Series FX5S-30MR/DS All versions

MELSEC iQ-F Series FX5S-30MR/ES All versions

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...

vendor-advisory

https://www.cisa.gov/news-events/ics-advisories/icsa-25-1...

government-resource

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 11, 2025

JSON