Missing Authentication Vulnerability in Mitsubishi Electric MELSEC iQ-F Series CPU Module
CVE-2025-7405

7.3HIGH

Key Information:

Vendor

Mitsubishi Electric Corporation

Status
Melsec Iq-f Series Fx5u-32mt/es
Melsec Iq-f Series Fx5u-32mt/ds
Melsec Iq-f Series Fx5u-32mt/ess
Melsec Iq-f Series Fx5u-32mt/dss
Vendor
CVE Published:
1 September 2025

What is CVE-2025-7405?

A vulnerability exists in the Mitsubishi Electric MELSEC iQ-F Series CPU module that allows remote, unauthenticated attackers to manipulate device values. This flaw is due to the lack of authentication in the MODBUS/TCP implementation, enabling unauthorized users to halt program operations or change critical device settings. Organizations using these products should assess their security posture and apply necessary mitigations to safeguard against potential exploitation.

Affected Version(s)

MELSEC iQ-F Series FX5S-30MR/DS All versions

MELSEC iQ-F Series FX5S-30MR/ES All versions

MELSEC iQ-F Series FX5S-30MT/DS All versions

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...
vendor-advisory
https://jvn.jp/vu/JVNVU90041458/
government-resource
https://www.cisa.gov/news-events/ics-advisories/icsa-25-2...
government-resource

CVSS V3.1

Score:
7.3
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.