CVE-2025-3511 Mitsubishi Electric CVE debrief

Who should care

OT and ICS operators, plant engineers, integrators, and security teams responsible for Mitsubishi Electric FA products, especially CC-Link IE TSN and MELSEC devices reachable over Ethernet/UDP. Sites with flat OT networks or any external access path to these devices should treat this as high priority.

Technical summary

The advisory describes an Improper Validation of Specified Quantity in Input (CWE-1284) weakness in the Ethernet function of multiple Mitsubishi Electric FA products. A remote attacker can send a specially crafted UDP packet to trigger a denial-of-service condition. Reported effects include device service disruption, communication delay, or timeout behavior depending on the product family, and recovery requires a system reset for the affected products. For FX5 Ethernet and FX5-ENET/IP, the source notes that a timeout may clear once valid UDP traffic resumes.

Defensive priority

High. The vulnerability is network-exploitable, requires no authentication or user interaction, and can interrupt industrial communications. Because the affected products are used in operational environments and the source notes that recovery may require a reset, remediation and segmentation should be handled urgently on any reachable deployment.

Recommended defensive actions

• Verify whether any Mitsubishi Electric products in your environment match the affected models and version ranges listed in the vendor advisory.
• Apply the vendor-fixed versions appropriate to each product family, using the Mitsubishi Electric security advisory as the source of truth for exact thresholds.
• For internet-reachable or routed deployments, place the affected devices behind firewalls or VPNs and block untrusted UDP access.
• Keep affected products within a trusted LAN and restrict physical access to the products and the LAN they use.
• Follow ICS defense-in-depth guidance from CISA for segmentation, access control, and secure remote access.
• If a device is impacted, plan for the possibility that recovery may require a system reset, and schedule maintenance windows accordingly.
• Confirm patch status after remediation and re-test industrial communications to ensure the fixed firmware or software is operating normally.

Evidence notes

Primary evidence comes from the CISA CSAF advisory for ICSA-25-128-03/CVE-2025-3511 and the linked Mitsubishi Electric PSIRT advisory. The source metadata shows initial publication on 2025-04-25 and latest advisory republication on 2026-04-30 (Update C). The advisory states the flaw is a DoS in Ethernet functions caused by improper validation of specified quantity in input, with CVSS v3.1 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). It also states that recovery may require a system reset and provides fixed-version thresholds and mitigations for the affected product families.

Official resources