CVE-2025-5241 Mitsubishi Electric Corporation CVE debrief

Who should care

OT/ICS operators, plant engineers, and security teams responsible for Mitsubishi Electric MELSEC iQ-F installations, especially systems exposed to remote access or connected to broader enterprise networks.

Technical summary

CISA's CSAF advisory (ICSA-25-184-04, published 2025-07-03) describes an overly restrictive account lockout mechanism affecting 73 Mitsubishi Electric MELSEC iQ-F product variants. The issue is remotely reachable and can be used to cause a denial of service by locking out a legitimate user after repeated failed login attempts. The supplied CVSS v3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L (5.3).

Defensive priority

Medium; elevate if affected controllers are reachable from untrusted networks or remote-access paths.

Recommended defensive actions

• Apply Mitsubishi Electric's stated mitigations, as no fixed version is planned in the advisory.
• Place affected products behind a firewall or VPN when Internet access is required.
• Use the devices within a LAN and block access from untrusted networks and hosts.
• Restrict physical access to the affected products and the LAN connected to them.
• Enable and use the IP filter function to block access from untrusted hosts, following the relevant Mitsubishi Electric manuals.
• Review Mitsubishi Electric's security bulletin and operator manuals for the affected model family before making network or access changes.

Evidence notes

All core facts are taken from the CISA CSAF advisory for ICSA-25-184-04, published and modified on 2025-07-03. The advisory states that the issue is a DoS caused by an overly restrictive account lockout mechanism, affects 73 product variants in the MELSEC iQ-F family, and has no planned fixed version. The supplied CVSS v3.1 score/vector are 5.3 and AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L.

Official resources