PatchSiren cyber security CVE debrief
CVE-2025-3755 Mitsubishi Electric CVE debrief
CVE-2025-3755 affects Mitsubishi Electric MELSEC iQ-F series PLCs. According to the CISA advisory, a remote attacker can send specially crafted packets to read information in the product, disrupt MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the CPU module and force a reset for recovery. The advisory was published on 2025-06-03 and assigns a CVSS v3.1 score of 9.1 (critical).
- Vendor
- Mitsubishi Electric
- Product
- FX5U-32MT/ES
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-06-03
- Original CVE updated
- 2025-06-03
- Advisory published
- 2025-06-03
- Advisory updated
- 2025-06-03
Who should care
OT/ICS operators, plant engineers, system integrators, and maintenance teams using Mitsubishi Electric MELSEC iQ-F PLCs—especially where GX Works3, GOT, or other MELSOFT connections are reachable from shared, remote, or Internet-connected networks.
Technical summary
The supplied CISA CSAF advisory describes a network-reachable issue in Mitsubishi Electric MELSEC iQ-F products affecting many FX5U, FX5UC, FX5UJ, and FX5S variants. The attack requires no privileges and no user interaction (CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H). Impact includes information disclosure, denial of service in MELSOFT connection communications, and stopping the CPU module, with recovery requiring a product reset. The advisory’s mitigation guidance centers on restricting network exposure, using firewalls/VPNs, applying IP filtering, and limiting physical access.
Defensive priority
Critical. This is remotely exploitable without authentication and can directly interrupt PLC operation or engineering/HMI communications. Prioritize exposure reduction, segmentation, and access control immediately for any affected PLC reachable outside a tightly controlled OT network.
Recommended defensive actions
- Follow Mitsubishi Electric advisory 2025-003 and the CISA ICSA-25-153-03 guidance for all affected MELSEC iQ-F variants.
- Keep affected PLCs off untrusted networks; place them behind firewalls and, when remote access is necessary, require a VPN and strict allow-listing.
- Enable and maintain the PLC IP filter function to block access from untrusted hosts.
- Use the affected products only within a trusted LAN and block direct access from untrusted networks and hosts.
- Restrict physical access to the PLCs and the LAN they connect to.
- Review GX Works3, GOT, and MELSOFT communication paths to remove unnecessary exposure.
- Validate operational recovery procedures, since successful disruption may require a reset of the product.
Evidence notes
This debrief is based on the CISA CSAF advisory published 2025-06-03 for CVE-2025-3755 (ICSA-25-153-03). The advisory names 80 affected product variants and states that specially crafted packets can disclose information, disrupt MELSOFT communications, or stop the CPU module. The remediation section in the supplied source emphasizes network controls, IP filtering, physical access restrictions, and a link to Mitsubishi Electric advisory 2025-003; no fixed software version or patch was included in the supplied corpus.
Official resources
-
CVE-2025-3755 CVE record
CVE.org
-
CVE-2025-3755 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
Publicly disclosed by CISA in ICS advisory ICSA-25-153-03 on 2025-06-03, with same-day initial publication in the supplied CSAF record.