PatchSiren cyber security CVE debrief
CVE-2025-15080 Mitsubishi Electric CVE debrief
CVE-2025-15080 is a critical, network-reachable vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware affecting proprietary protocol and SLMP communications. According to the CISA advisory republishing Mitsubishi Electric’s 2025-020 notice, a specially crafted packet with a specific command may let an attacker read device data or part of a control program, write device data, or cause denial of service. Mitsubishi Electric advises updating to firmware version 49 or later and applying network and physical access restrictions until remediation is complete.
- Vendor
- Mitsubishi Electric
- Product
- MELSEC iQ-R Series R08/16/32/120PCPU firmware
- CVSS
- CRITICAL 9.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-02-05
- Original CVE updated
- 2026-02-05
- Advisory published
- 2026-02-05
- Advisory updated
- 2026-02-05
Who should care
OT/ICS operators using MELSEC iQ-R controllers, PLC and automation engineers, plant network administrators, and security teams responsible for segmented industrial networks and firmware maintenance.
Technical summary
The advisory describes an information disclosure, information tampering, and denial-of-service issue in Mitsubishi Electric proprietary protocol communication and SLMP communication used by the affected MELSEC iQ-R firmware. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H, indicating unauthenticated network attackability with high integrity and availability impact. The vendor states fixed firmware is version 49 or later and recommends firewall/VPN controls, IP filtering, LAN-only use, and restricting physical access to the product and connected network.
Defensive priority
Immediate
Recommended defensive actions
- Identify all Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware deployments and confirm whether they are below version 49.
- Upgrade affected devices to firmware version 49 or later using Mitsubishi Electric’s documented firmware update procedure and download package.
- Restrict access from untrusted networks and hosts with firewalls, VPNs, and IP filtering; keep the product within a segmented LAN where possible.
- Limit physical access to the affected product and its connected LAN.
- Review Mitsubishi Electric’s advisory and CISA industrial control system recommended practices for deployment-specific hardening guidance.
- Coordinate with local Mitsubishi Electric support if you need update assistance or confirmation of affected product handling.
Evidence notes
Primary evidence comes from the CISA CSAF advisory for ICSA-26-036-02, published and modified on 2026-02-05. The advisory states the issue affects Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware and can expose device data or part of a control program, modify device data, or cause denial of service through a specially crafted packet. The source also provides the vendor remediation target of firmware version 49 or later and mitigation guidance using firewalls, VPNs, IP filters, LAN-only exposure, and restricted physical access. No KEV entry is supplied in the enrichment data.
Official resources
-
CVE-2025-15080 CVE record
CVE.org
-
CVE-2025-15080 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Public advisory released by CISA on 2026-02-05 and republishing Mitsubishi Electric’s 2025-020 bulletin. The supplied enrichment does not list any Known Exploited Vulnerabilities (KEV) entry or known ransomware campaign use.