Mitsubishi MELSEC iQ-F CPU Module Info Leak & DoS Vulnerability (CVSS 9.1)

Key Information Vulnerability Overview Vulnerability Type: Information Disclosure and Denial of Service (DoS) Affected Products: MELSEC iQ-F Series CPU Modules Release Date: May 29, 2025 CVSS Score: 9.1 (Critical) Affected Products Series: MELSEC iQ-F Series Product Names and Versions: - FX5U-MV/z x=32,64,80, y=T,R, z=ES,DS,ESS,DSS: All versions - FX5UC-xMV/z x=32,64,96, y=T,R, z=D,DSS: All versions - FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions - FX5UJ-xMV/z x=24,40,60, y=T,R, z=ES,DS,ESS,DSS: All versions - FX5UJ-xMV/ESA^1 x=24,40,60, y=T,R: All versions - FX5S-xMV/z x=30,40,60,80^1, y=T,R, z=ES,DS,DSS: All versions Description Cause: Due to improper validation of specified index, position, or offset (CWE-1285), leading to information disclosure and Denial of Service (DoS) vulnerabilities. Impact Consequences: Remote attackers can send specially crafted packets to read information from the product, causing a Denial of Service (DoS) condition on MELSOFT connections, or halt CPU module operations (inducing a DoS condition on the CPU module), requiring product reset to recover. Customer Mitigation Measures Mitigation/Workarounds: - Use firewalls or Virtual Private Networks (VPNs) to prevent unauthorized access. - When internet access is required, use a Local Area Network (LAN) and block access from untrusted networks and hosts via firewall. - Use IP filtering functionality*2 to block access from untrusted hosts. - Restrict physical access to affected products and associated LANs.

Goal Reached Thanks to every supporter — we hit 100%!

Mitsubishi MELSEC iQ-F CPU Module Info Leak & DoS Vulnerability (CVSS 9.1)