All news with #mitsubishi electric tag

CISA Releases 18 Industrial Control Systems Advisories

🔔 CISA released 18 Industrial Control Systems (ICS) advisories addressing security flaws across a broad set of vendors and product families. The advisories cover firmware, application software, and cloud services used in operational technology and industrial environments, including products from Siemens, Rockwell Automation, AVEVA, and Mitsubishi Electric. Administrators should review the advisories for technical details and apply vendor mitigations, patches, and compensating controls promptly to reduce risk to availability and safety.

Mitsubishi MELSEC iQ-F Series TCP DoS Vulnerability

🚨 Mitsubishi Electric disclosed a TCP communication vulnerability (CVE-2025-10259) in the MELSEC iQ-F Series CPU modules that can be triggered remotely to disconnect a session and cause a denial-of-service condition. The issue is remotely exploitable with low attack complexity and carries a CVSS v3.1 base score of 5.3. Mitsubishi recommends using VPNs and limiting physical and LAN access while applying vendor guidance and assessing risk.

CISA Publishes Four ICS Advisories on October 9, 2025

🔔 CISA released four Industrial Control Systems (ICS) Advisories on October 9, 2025, covering vulnerabilities in Hitachi Energy Asset Suite, Rockwell Automation Lifecycle Services with Cisco, Rockwell Automation Stratix, and an update to Mitsubishi Electric Multiple FA Products. Each advisory provides technical details, risk ratings, and recommended mitigations. Administrators and asset owners should review the advisories promptly and apply mitigations or vendor patches to reduce exposure. CISA emphasizes timely review and implementation to protect operational environments.

CISA Issues Six New Industrial Control Systems Advisories

🔔 CISA released six Industrial Control Systems (ICS) advisories on September 23, 2025, providing timely information on security issues, vulnerabilities, and potential exploits across multiple product families. The advisories cover AutomationDirect CLICK PLUS, Mitsubishi Electric MELSEC‑Q Series CPU Module, Schneider Electric SESU, Viessmann Vitogate 300, and two updates for Hitachi Energy RTU500 Series. Users and administrators are urged to review each advisory for technical details and apply recommended mitigations promptly.

Mitsubishi MELSEC-Q CPU Module Denial-of-Service Risk

⚠️ CISA advises that a denial-of-service vulnerability (CVE-2025-8531) affects Mitsubishi Electric MELSEC-Q Series CPU modules when the user authentication function is enabled, due to improper handling of a length parameter (CWE-130). The issue has a CVSS v3.1 base score of 6.8 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) and is exploitable remotely but characterized by high attack complexity. Mitsubishi has identified fixed units with serial ranges beginning '27082' or later and recommends migrating to the successor MELSEC iQ-R Series where updates are unavailable; organizations should apply network-access restrictions and defense-in-depth mitigations.

CISA Issues Nine New ICS Advisories on Sep 18, 2025

🛡️ CISA released nine Industrial Control Systems (ICS) advisories on September 18, 2025, detailing vulnerabilities, exploits, and mitigations affecting multiple vendors and products. The advisories cover Westermo WeOS, Schneider Electric Saitel RTUs, Hitachi Energy Asset and Service Suites, Cognex In‑Sight devices, Dover Fueling Solutions ProGauge MagLink LX4 devices, plus updates for rail linking protocols and Mitsubishi FA engineering tools. Administrators and operators are urged to review the technical details and apply recommended mitigations promptly to reduce operational and safety risk.

CISA Releases Fourteen ICS Advisories — September 9, 2025

🔔 CISA released fourteen Industrial Control Systems (ICS) advisories on September 9, 2025, providing timely information on security issues, vulnerabilities, and potential exploits affecting critical industrial products. The set includes advisories for Rockwell Automation (ThinManager, Stratix IOS, FactoryTalk families, CompactLogix, ControlLogix, Analytics LogixAI, 1783-NATR), Mitsubishi Electric, Schneider Electric, ABB, and others. Administrators are urged to review the advisories for technical details, CVE references, and recommended mitigations, and to prioritize patching, configuration changes, and compensating controls to reduce operational risk.

CISA Issues Five ICS Advisories on Critical Vulnerabilities

⚠ CISA released five Industrial Control Systems (ICS) advisories on September 4, 2025, detailing vulnerabilities, impacts, and recommended mitigations for multiple OT products and protocols. The advisories address Honeywell OneWireless WDM, Mitsubishi Electric/ICONICS products, Delta Electronics COMMGR, Honeywell Experion PKS, and the End-of-Train/Head-of-Train Remote Linking Protocol. Several notices are updates (A/B) that include revised technical analysis and vendor-supplied mitigations. Administrators are urged to review the advisories promptly and apply recommended controls.

Mitsubishi MELSEC iQ-F CPU Module: Cleartext Credentials

🔒 Mitsubishi Electric disclosed a MELSEC iQ-F Series CPU module vulnerability (CVE-2025-7731) that transmits sensitive authentication data in cleartext over SLMP, enabling remote attackers to intercept credentials and read or write device values or halt program execution. Assigned CVSS v4 8.7 and described as remotely exploitable with low attack complexity, the issue affects many FX5U/FX5UC/FX5UJ/FX5S variants — Mitsubishi reports no planned patch. Mitsubishi and CISA recommend mitigations such as encrypting SLMP traffic with a VPN, restricting LAN access, isolating control networks behind firewalls, and following ICS hardening best practices.

CISA Publishes Nine ICS Advisories on August 28, 2025

🔔 On August 28, 2025, CISA released nine Industrial Control Systems (ICS) advisories that detail vulnerabilities, impacts, and recommended mitigations for multiple vendors and product families. The advisories cover Mitsubishi Electric, Schneider Electric, Delta Electronics, GE Vernova, and Hitachi Energy, and include several updates to prior notices. Operators and administrators are encouraged to review each advisory for affected versions, vendor patches, and configuration mitigations, and to prioritize remediation and monitoring to reduce operational risk.

Mitsubishi MELSEC iQ-F CPU: Missing Authentication Flaw

⚠️ Mitsubishi Electric's MELSEC iQ-F Series CPU modules are affected by a Missing Authentication for Critical Function vulnerability (CVE-2025-7405) in Modbus/TCP that can allow remote attackers to read and write device values and potentially halt program execution. CISA assigns a CVSS v4 base score of 6.9 and notes the issue is remotely exploitable with low attack complexity. Mitsubishi reports many FX5U/FX5UC/FX5UJ/FX5S variants affected and currently has no fixed version planned. Recommended mitigations include network segmentation, VPNs or firewalls, IP filtering, and restricting physical access.

CISA Releases Three Industrial Control Systems Advisories

🔔 CISA released three Industrial Control Systems (ICS) advisories on August 21, 2025, detailing vulnerabilities and potential exploits affecting products from Mitsubishi Electric and FUJIFILM. The notices cover MELSEC iQ-F Series CPU Module, Mitsubishi Electric air conditioning systems (Update A), and Synapse Mobility. Each advisory includes technical details and recommended mitigations. CISA urges administrators and asset owners to review and apply the guidance promptly.

Mitsubishi MELSEC iQ-F CPU Module Denial-of-Service

🔒 CISA published Advisory ICSA-25-233-01 on August 21, 2025 describing a Denial-of-Service vulnerability (CVE-2025-5514, CVSS v3 5.3) in the Mitsubishi Electric MELSEC iQ-F Series CPU module web server. An attacker can send specially crafted HTTP requests that exploit an Improper Handling of Length Parameter Inconsistency to delay processing and prevent legitimate users from accessing the web server. Mitsubishi Electric reports no plans to release a fix and advises customers to restrict network exposure, use IP filtering and VPNs, and limit physical access. CISA recommends isolating control networks behind firewalls and minimizing internet exposure.