Mitsubishi Electric MELSEC iQ-F Series

View CSAF

1. EXECUTIVE SUMMARY CVSS v4 6.9 ATTENTION: Exploitable remotely/Low attack complexity Vendor: Mitsubishi Electric Corporation Equipment: MELSEC iQ-F Series Vulnerability: Overly Restrictive Account Lockout Mechanism
2. RISK EVALUATION Successful exploitation of this vulnerability could result in a denial-of-service condition for legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords. When the product repeatedly receives unauthorized logins from an attacker, legitimate users will be unable to be authenticated until a certain period has passed after the lockout or until the product is reset.
3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following version of MELSEC iQ-F Series is affected: FX5U-32MT/ES: All versions FX5U-32MT/DS: All versions FX5U-32MT/ESS: All versions FX5U-32MT/DSS: All versions FX5U-32MR/ES: All versions FX5U-32MR/DS: All versions FX5U-64MT/ES: All versions FX5U-64MT/DS: All versions FX5U-64MT/ESS: All versions FX5U-64MT/DSS: All versions FX5U-64MR/ES: All versions FX5U-64MR/DS: All versions FX5U-80MT/ES: All versions FX5U-80MT/DS: All versions FX5U-80MT/ESS: All versions FX5U-80MT/DSS: All versions FX5U-80MR/ES: All versions FX5U-80MR/DS: All versions FX5UC-32MT/D: All versions FX5UC-32MT/DSS: All versions FX5UC-64MT/D: All versions FX5UC-64MT/DSS: All versions FX5UC-96MT/D: All versions FX5UC-96MT/DSS: All versions FX5UC-32MT/DS-TS: All versions FX5UC-32MT/DSS-TS: All versions FX5UC-32MR/DS-TS: All versions FX5UJ-24MT/ES: All versions FX5UJ-24MT/DS: All versions FX5UJ-24MT/ESS: All versions FX5UJ-24MT/DSS: All versions FX5UJ-24MR/ES: All versions FX5UJ-24MR/DS: All versions FX5UJ-40MT/ES: All versions FX5UJ-40MT/DS: All versions FX5UJ-40MT/ESS: All versions FX5UJ-40MT/DSS: All versions FX5UJ-40MR/ES: All versions FX5UJ-40MR/DS: All versions FX5UJ-60MT/ES: All versions FX5UJ-60MT/DS: All versions FX5UJ-60MT/ESS: All versions FX5UJ-60MT/DSS: All versions FX5UJ-60MR/ES: All versions FX5UJ-60MR/DS: All versions FX5UJ-24MT/ES-A: All versions FX5UJ-24MR/ES-A: All versions FX5UJ-40MT/ES-A: All versions FX5UJ-40MR/ES-A: All versions FX5UJ-60MT/ES-A: All versions FX5UJ-60MR/ES-A: All versions FX5S-30MT/ES: All versions FX5S-30MT/DS: All versions FX5S-30MT/ESS: All versions FX5S-30MT/DSS: All versions FX5S-30MR/ES: All versions FX5S-30MR/DS: All versions FX5S-40MT/ES: All versions FX5S-40MT/DS: All versions FX5S-40MT/ESS: All versions FX5S-40MT/DSS: All versions FX5S-40MR/ES: All versions FX5S-40MR/DS: All versions FX5S-60MT/ES: All versions FX5S-60MT/DS: All versions FX5S-60MT/ESS: All versions FX5S-60MT/DSS: All versions FX5S-60MR/ES: All versions FX5S-60MR/DS: All versions FX5S-80MT/ES: All versions FX5S-80MT/ESS: All versions FX5S-80MR/ES: All versions FX5-CCLGN-MS: All versions 3.2 VULNERABILITY OVERVIEW 3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645 A denial-of-service (DoS) vulnerability exists in the MELSEC iQ-F series due to an overly restrictive account lockout mechanism. A remote attacker could lockout a legitimate user for a certain period of time by repeatedly attempting to login with an incorrect password. CVE-2025-5241 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L). A CVSS v4 score has also been calculated for CVE-2025-5241. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N). 3.3 BACKGROUND CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing COUNTRIES/AREAS DEPLOYED: Worldwide COMPANY HEADQUARTERS LOCATION: Japan 3.4 RESEARCHER Thai Do, Minh Pham, Quan Le, and Loc Nguyen of OPSWAT Unit 515 reported this vulnerability to Mitsubishi Electric.
4. MITIGATIONS Mitsubishi Electric Corporation has stated there are no plans to release a fixed version. Implement the following mitigation measures to minimize the risk of exploiting this vulnerability: Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required. Use within a LAN and block access from untrusted networks and hosts through firewalls. Restrict physical access to the affected products and the LAN that is connected to them. Use IP filter function to block access from untrusted hosts.

NOTE: For details on the IP filter function, please refer to the following manual for each product. “13.1 IP Filter Function” in the MELSEC iQ-F FX5 User’s Manual (Communication) “4.5 Security” in the MELSEC iQ-F FX5 CC-Link IE TSN Master/Local Module User’s Manual Mitsubishi Electric Corporation recommends downloading the manual from the following Mitsubishi Electric Website. See Mitsubishi Electric’s security bulletin for more information. CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability, such as: Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet. When remote access is required, use more secure methods, such as VPNs, recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY July 3, 2025: Initial Republication of Mitsubishi Electric 2025-005