CVE-2025-10314 Mitsubishi Electric CVE debrief

Who should care

Organizations running Mitsubishi Electric FREQSHIP-mini for Windows, especially Windows administrators and OT/ICS teams responsible for UPS shutdown tooling on systems that may be locally accessed or remotely reachable.

Technical summary

The advisory describes a software installation directory permissions problem in FREQSHIP-mini for Windows. Because default permissions are incorrect, a local attacker may be able to swap service executable or DLL files with specially crafted versions and trigger execution with system privileges. The supplied CVSS vector is CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H (8.8 High).

Defensive priority

High. Apply the vendor fix as soon as practical, because the flaw can result in system-privileged code execution and the vendor has provided a specific fixed release.

Recommended defensive actions

• Upgrade FREQSHIP-mini for Windows to version 8.1.0 or later from Mitsubishi Electric’s download site.
• Limit use of affected PCs to a LAN and block remote logins from untrusted networks, hosts, and non-administrator users.
• Use a firewall or VPN to block unauthorized access, and allow remote login only for administrators when internet exposure is unavoidable.
• Restrict physical access to the PC and its connected network.
• Do not click links or open attachments from untrusted sources.
• Install and regularly update antivirus software.

Evidence notes

The source corpus is CISA CSAF advisory ICSA-26-034-01, published 2026-02-03, with revision history noting an initial republication of Mitsubishi Electric 2025-019. The advisory and vendor remediation both identify incorrect default permissions as the root cause and list version 8.1.0 or later as the fixed release. No KEV listing or ransomware-use data was supplied.

Official resources