CVE-2025-3128 Mitsubishi Electric Europe B.V. CVE debrief

Who should care

Organizations running Mitsubishi Electric smartRTU, especially OT/ICS operators, plant engineers, infrastructure teams, and anyone managing remote or web access to these devices.

Technical summary

The advisory describes a remotely reachable issue in smartRTU where an attacker who has bypassed authentication may execute arbitrary OS commands. The stated impact includes confidentiality, integrity, and availability compromise, and the affected product entry is Mitsubishi Electric Europe B.V. smartRTU: <=3.37. The supplied CSAF content also recommends network access restrictions and web filtering controls as mitigations.

Defensive priority

Immediate: critical remote command execution risk on an OT product with network exposure concerns.

Recommended defensive actions

• Restrict access to smartRTU to trusted networks only.
• Place the device behind a firewall or VPN if Internet access is required.
• Use LAN-only deployment and block untrusted hosts and networks at the perimeter.
• Deploy a web application firewall where applicable to monitor and block malicious HTTP/HTTPS traffic.
• Review Mitsubishi Electric Europe B.V. MEU_PSIRT_2025-3128 guidance referenced in the advisory.
• Verify whether any smartRTU instances are running version 3.37 or earlier and prioritize them for mitigation.

Evidence notes

Facts are drawn from the CISA CSAF advisory ICSA-25-105-09 and its referenced material. The advisory identifies Mitsubishi Electric Europe B.V. smartRTU version <=3.37 as affected, describes the potential for arbitrary OS command execution, and lists network-access mitigations. The source revision history shows the initial publication on 2025-04-15 and a later revision on 2025-05-06 marked as typo fixes only.

Official resources