PatchSiren cyber security CVE debrief
CVE-2024-25086 Mitsubishi Electric CVE debrief
A local privilege escalation vulnerability in 37 Mitsubishi Electric FA engineering software products allows attackers with local access and user privileges to gain Windows system privileges and execute arbitrary commands. The vulnerability requires high attack complexity and user interaction, with a medium CVSS 3.1 score of 4.4. CISA published the initial advisory on May 14, 2024, with the most recent Update E released on January 15, 2026, adding version information to affected product and mitigation sections. No known exploitation in the wild has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- Mitsubishi Electric
- Product
- CPU Module Logging Configuration Tool
- CVSS
- MEDIUM 4.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-14
- Original CVE updated
- 2026-01-15
- Advisory published
- 2024-05-14
- Advisory updated
- 2026-01-15
Who should care
Organizations using Mitsubishi Electric FA engineering software in industrial automation environments, particularly manufacturing, process control, and critical infrastructure sectors. System administrators, OT security teams, and asset owners responsible for maintaining secure engineering workstations should prioritize inventory and patching activities.
Technical summary
The vulnerability exists in multiple Mitsubishi Electric FA engineering software products where malicious code execution on an affected system can lead to local privilege escalation. The attack requires local access, low privileges, and user interaction, with high attack complexity. Successful exploitation grants Windows system privileges and arbitrary command execution. The CVSS 3.1 score is 4.4 (Medium) with vector AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N, indicating local attack vector, high attack complexity, low privileges required, user interaction required, and high impact to integrity. Thirty-seven products are affected including GX Works2, GX Works3, GT Designer3, MX Component, and various configuration and monitoring tools. Vendor fixes are available for most products through the Mitsubishi Electric download portal, with some requiring purchase assistance.
Defensive priority
medium
Recommended defensive actions
- Inventory all Mitsubishi Electric FA engineering software installations and identify affected versions using the product list in the CISA advisory
- Apply vendor-provided updates: CPU Module Logging Configuration Tool to 1.160S or later; GX Works2 to 1.625B or later; GX Works3 to 1.110Q or later; and corresponding updates for other affected products per the advisory
- For products requiring purchase assistance (CSGL, EZSocket), contact your Mitsubishi Electric place of purchase
- Restrict local access to engineering workstations running affected software to authorized personnel only
- Implement application whitelisting and endpoint protection on engineering workstations to prevent malicious code execution
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Monitor for anomalous privilege escalation attempts on systems running affected Mitsubishi Electric software
Evidence notes
Source: CISA CSAF advisory ICSA-24-135-04 (Update E, published 2026-01-15). CVSS 3.1 vector: AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N. Affected products include CPU Module Logging Configuration Tool (≤1.154L), GX Works2 (≤1.622Y), GX Works3 (≤1.106L), and 34 additional Mitsubishi Electric FA engineering software products.
Official resources
-
CVE-2024-25086 CVE record
CVE.org
-
CVE-2024-25086 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-14