PatchSiren cyber security CVE debrief
CVE-2025-3784 Mitsubishi Electric CVE debrief
A medium-severity vulnerability in Mitsubishi Electric GX Works2 allows credential disclosure from plaintext storage in project files. An attacker with local access can extract authentication credentials and bypass project file protections to view or modify industrial control system configurations. No patch is currently available; CISA and Mitsubishi Electric recommend network segmentation, physical access controls, and encryption of project files during transfer.
- Vendor
- Mitsubishi Electric
- Product
- GX Works2
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-12-04
- Original CVE updated
- 2025-12-04
- Advisory published
- 2025-12-04
- Advisory updated
- 2025-12-04
Who should care
Industrial control system engineers, OT security teams, and manufacturing organizations using Mitsubishi Electric GX Works2 for PLC programming should prioritize this vulnerability. Organizations with distributed engineering teams or remote access to programming workstations face elevated risk. Asset owners in critical infrastructure sectors should review project file handling procedures and implement compensating controls until vendor patches are released.
Technical summary
CVE-2025-3784 affects Mitsubishi Electric GX Works2 engineering software used for programming Mitsubishi PLCs. The vulnerability stems from storing authentication credentials in plaintext within project files. An attacker with local access to a workstation or project file can extract these credentials and use them to open password-protected project files, potentially viewing or modifying industrial control logic. The CVSS 3.1 score of 5.5 reflects a local attack vector with low attack complexity and high confidentiality impact, but no integrity or availability impact on the software itself. CISA advisory ICSA-25-338-01 confirms no patched version is currently available. Mitigations focus on access controls, network segmentation, and encryption of project files during transfer.
Defensive priority
medium
Recommended defensive actions
- Restrict physical and network access to engineering workstations running GX Works2; deploy host-based firewalls to block remote logins from untrusted sources
- Segment affected systems from untrusted networks using firewalls or VPNs; limit remote access to authenticated, authorized personnel only
- Encrypt project files when transmitting over any network to prevent credential exposure in transit
- Monitor for unauthorized access attempts to GX Works2 workstations and project file directories
- Apply security updates from Mitsubishi Electric when available; reference vendor security bulletin for patch release timing
- Implement defense-in-depth controls per CISA ICS recommended practices including antivirus deployment on engineering workstations
Evidence notes
CISA published advisory ICSA-25-338-01 on 2025-12-04 confirming plaintext credential storage in GX Works2 project files. CVSS 3.1 vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates local attack vector with low complexity and high confidentiality impact. Mitsubishi Electric confirms fixed version is under development.
Official resources
-
CVE-2025-3784 CVE record
CVE.org
-
CVE-2025-3784 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-12-04