PatchSiren cyber security CVE debrief
CVE-2025-11009 Mitsubishi Electric CVE debrief
Mitsubishi Electric GT Designer3 contains an information disclosure vulnerability (CWE-312) due to cleartext storage of sensitive credentials. The engineering software stores and verifies credentials in plain text within project files, allowing an attacker with access to these files to extract plaintext credentials. Successful credential extraction could enable unauthorized operation of connected GOT2000 series or GOT1000 series human-machine interface (HMI) devices. The vulnerability requires local access to project files and has high attack complexity, with no user interaction needed. The CVSS 3.1 score of 5.1 (Medium) reflects the confidentiality impact without integrity or availability effects.
- Vendor
- Mitsubishi Electric
- Product
- GT Designer3 Version1 (GOT2000)
- CVSS
- MEDIUM 5.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-16
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-12-16
- Advisory updated
- 2025-12-16
Who should care
Industrial control system engineers, OT security teams, and manufacturing organizations using Mitsubishi Electric GOT series HMIs with GT Designer3 engineering software should prioritize assessment. Organizations with distributed engineering teams or project file sharing practices face elevated exposure. Asset owners in critical infrastructure sectors with regulatory requirements for credential protection should evaluate compliance implications.
Technical summary
GT Designer3 Version1 stores authentication credentials in plaintext within project files. The software performs credential verification without cryptographic protection, exposing usernames and passwords to any party with file system access to project files. This design flaw enables credential harvesting from backup archives, shared directories, or compromised workstations. Extracted credentials may authenticate to GOT2000 and GOT1000 series HMIs, potentially allowing unauthorized process manipulation. The vulnerability is classified as information disclosure with no direct integrity or availability impact on the engineering software itself, though downstream integrity impacts on connected control systems are possible through credential misuse.
Defensive priority
medium
Recommended defensive actions
- Restrict GT Designer3 workstations to internal LAN segments and block remote login from untrusted networks, hosts, and users
- When internet connectivity is required, deploy firewall rules and VPN access controls to prevent unauthorized remote access
- Maintain current antivirus software on all engineering workstations running GT Designer3
- Implement security awareness training to prevent opening of untrusted files or clicking untrusted links
- Review Mitsubishi Electric's security advisory for additional vendor-specific guidance
- Audit existing GT Designer3 project files for exposure risk and rotate any credentials that may have been stored in legacy project files
- Apply network segmentation between engineering workstations and operational HMI networks to limit lateral movement potential
Evidence notes
CISA ICS advisory ICSA-25-350-04 published 2025-12-16 documents this vulnerability with vendor confirmation from Mitsubishi Electric. The advisory specifies affected products as GT Designer3 Version1 for both GOT2000 and GOT1000 series. CVSS vector AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N indicates local attack vector with high complexity but no privileges or user interaction required.
Official resources
-
CVE-2025-11009 CVE record
CVE.org
-
CVE-2025-11009 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-16