Improper Handling of Length Parameter Inconsistency in Mitsubishi Electric MELSEC-Q Series
CVE-2025-8531

6.8MEDIUM

Key Information:

Vendor: Mitsubishi Electric Corporation
Status: Melsec-q Series Q03udvcpu; Melsec-q Series Q04udvcpu; Melsec-q Series Q06udvcpu; Melsec-q Series Q13udvcpu
Vendor: CVE Published:; 19 September 2025

🔔 Create Mitsubishi Electric Corporation Vulnerability Alert

What is CVE-2025-8531?

A vulnerability exists within the Mitsubishi Electric MELSEC-Q Series products due to improper handling of length parameter inconsistencies. Specifically, affected models can experience integer underflows when they receive specially crafted packets. This can lead to a disruption in Ethernet communications and the execution of control programs, especially when the user authentication function is enabled. Notably, this user authentication is enabled by default only under certain configurations with GX Works2, which is compliant with the Cybersecurity Law of the People's Republic of China.

Affected Version(s)

MELSEC-Q Series Q03UDVCPU The first 5 digits of serial No. "24082" to "27081"

MELSEC-Q Series Q04UDPVCPU The first 5 digits of serial No. "24082" to "27081"

MELSEC-Q Series Q04UDVCPU The first 5 digits of serial No. "24082" to "27081"

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...

vendor-advisory

https://jvn.jp/vu/JVNVU97846038/

government-resource

CVSS V3.1

Score:

6.8

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 19, 2025
Vulnerability Reserved
Aug 4, 2025