CVE-2024-25088 Mitsubishi Electric CVE debrief

Who should care

Organizations operating Mitsubishi Electric industrial automation equipment including manufacturing facilities, critical infrastructure operators, and system integrators using affected FA Engineering Software products on Windows-based engineering workstations.

Technical summary

CVE-2024-25088 affects 37 Mitsubishi Electric FA Engineering Software products with a CVSS 3.1 score of 4.4 (MEDIUM). The vulnerability requires local access, high attack complexity, low privileges, and user interaction. Successful exploitation allows a local attacker to gain Windows system privileges and execute arbitrary commands. The attack vector is local (AV:L) with high attack complexity (AC:H), requiring the attacker to already have code execution capability on the target system. The integrity impact is rated HIGH (I:H) while confidentiality and availability impacts are NONE. Affected products include engineering software for PLC programming (GX Works2/3), HMI design (GT Designer3), servo configuration (MR Configurator2), communication middleware (MX Component, EZSocket), and various network interface board software packages. Remediation involves updating to specified patched versions where available; some products require vendor contact for updates, and several products (FR Configurator SW3, GX Developer, MI Configurator, MR Configurator, MX OPC Server DA/UA) are affected at all versions with no patch available, suggesting end-of-life status.

Defensive priority

medium

Recommended defensive actions

• Inventory all Mitsubishi Electric FA Engineering Software installations across engineering workstations and identify affected versions from the 37 listed products including GX Works2, GX Works3, GT Designer3, MXComponent
• Apply vendor-provided updates: CPU Module Logging Configuration Tool to 1.160S or later, CW Configurator to 1.020W or later, Data Transfer to 3.59M or later, Data Transfer Classic to 1.01B or later, FR Configurator2 to 1
• For products requiring purchase contact (CSGL, EZSocket), coordinate with Mitsubishi Electric representatives to obtain updated versions
• For end-of-life products without patches (FR Configurator SW3, GX Developer, MI Configurator, MR Configurator, MX OPC Server DA/UA), evaluate migration to supported alternatives or implement compensating controls
• Restrict local access to engineering workstations running affected software to authorized personnel only
• Implement application whitelisting and endpoint protection on systems hosting Mitsubishi Electric engineering software to prevent malicious code execution
• Monitor for anomalous privilege escalation attempts on Windows systems running affected FA Engineering Software

Evidence notes

Source: CISA CSAF advisory ICSA-24-135-04, published 2024-05-14, modified 2026-01-15. CVSS 3.1 vector confirmed in source. Affected product list and remediation details extracted from CSAF product tree and remediations sections.

Official resources