PatchSiren

Mitsubishi Electric CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

CRITICAL Mitsubishi Electric CVE published 2026-02-05

CVE-2025-15080

CVE-2025-15080 is a critical, network-reachable vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware affecting proprietary protocol and SLMP communications. According to the CISA advisory republishing Mitsubishi Electric’s 2025-020 notice, a specially crafted packet with a specific command may let an attacker read device data or part of a control program, write device data, o [truncated]

HIGH Mitsubishi Electric CVE published 2026-02-03

CVE-2025-10314

CVE-2025-10314 is a high-severity local code execution issue in Mitsubishi Electric FREQSHIP-mini for Windows. CISA’s advisory says incorrect default permissions can let a local attacker replace the service executable or DLL files in the installation directory with crafted files, leading to arbitrary code execution with system privileges. Mitsubishi Electric says the issue is addressed in version 8.1.0 or later.

MEDIUM Mitsubishi Electric CVE published 2025-12-16

CVE-2025-11009

Mitsubishi Electric GT Designer3 contains an information disclosure vulnerability (CWE-312) due to cleartext storage of sensitive credentials. The engineering software stores and verifies credentials in plain text within project files, allowing an attacker with access to these files to extract plaintext credentials. Successful credential extraction could enable unauthorized operation of connected GOT2000 [truncated]

MEDIUM Mitsubishi Electric CVE published 2025-12-04

CVE-2025-3784

A medium-severity vulnerability in Mitsubishi Electric GX Works2 allows credential disclosure from plaintext storage in project files. An attacker with local access can extract authentication credentials and bypass project file protections to view or modify industrial control system configurations. No patch is currently available; CISA and Mitsubishi Electric recommend network segmentation, physical acces [truncated]

HIGH Mitsubishi Electric CVE published 2025-07-24

CVE-2016-2542

CVE-2016-2542 covers a DLL hijacking issue caused by an uncontrolled search path element in Flexera InstallShield components used by multiple Mitsubishi Electric CNC Series software tools. The CISA CSAF advisory was first published on 2025-07-24 and later updated on 2026-01-29; it lists 19 affected products, with fixed versions for only some products and no planned fixed versions for several others.

HIGH Mitsubishi Electric CVE published 2025-07-03

CVE-2024-11477

CVE-2024-11477 is a high-severity issue in Mitsubishi Electric MELSOFT Update Manager where a bundled 7-Zip integer underflow can be triggered when a user decompresses a specially crafted archive. CISA’s advisory says a local authenticated attacker could obtain code execution by getting an authorized user to open the malicious compressed file, with potential impact to confidentiality, integrity, and availability.

CRITICAL Mitsubishi Electric CVE published 2025-06-26

CVE-2025-3699

CVE-2025-3699 is a critical authentication bypass affecting Mitsubishi Electric air conditioning control systems. According to the CISA CSAF advisory, an attacker may bypass authentication to gain unauthorized control or access sensitive information stored in the system, and that information may be used to tamper with firmware. CISA published the advisory on 2025-06-26, later issued Update A on 2025-08-21 [truncated]

CRITICAL Mitsubishi Electric CVE published 2025-06-03

CVE-2025-3755

CVE-2025-3755 affects Mitsubishi Electric MELSEC iQ-F series PLCs. According to the CISA advisory, a remote attacker can send specially crafted packets to read information in the product, disrupt MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the CPU module and force a reset for recovery. The advisory was published on 2025-06-03 and assigns a CVSS [truncated]

MEDIUM Mitsubishi Electric CVE published 2025-05-20

CVE-2025-0921

CVE-2025-0921 is a medium-severity information tampering issue in multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products. CISA and the vendor describe a local attack path where a user creates a symbolic link from a file a service writes to, redirecting the write to an arbitrary target file. If the target is important to system operation, the overwrite can destroy it and tr [truncated]

HIGH Mitsubishi Electric CVE published 2025-04-25

CVE-2025-3511

CVE-2025-3511 is a remote denial-of-service vulnerability in Mitsubishi Electric industrial automation products. The issue is in Ethernet functionality and is triggered by a specially crafted UDP packet. Impact is availability only, but it affects multiple CC-Link IE TSN and MELSEC product families used in OT environments, so exposed systems should be prioritized for remediation and network containment.

HIGH Mitsubishi Electric CVE published 2024-12-03

CVE-2024-8299

A malicious code execution vulnerability exists in the Phone agent component of the multi-agent notification feature across multiple Mitsubishi Electric and Mitsubishi Electric Iconics Digital Solutions products. The vulnerability stems from an uncontrolled search path element (CWE-427) that allows local attackers to execute arbitrary code. The issue affects GENESIS64, ICONICS Suite, MC Works64, and GENES [truncated]

HIGH Mitsubishi Electric CVE published 2024-07-09

CVE-2024-3904

A local code execution vulnerability in Mitsubishi Electric MI5122-VW industrial PC firmware allows authenticated attackers with local access to achieve arbitrary code execution by placing malicious files in a specific directory. The vulnerability affects firmware versions 05 through 07 and carries a CVSS 3.1 score of 8.8 (High severity). Successful exploitation enables full compromise of confidentiality, [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-26314

A local privilege escalation vulnerability affects 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a system with affected software installed, a local attacker can gain Windows system privileges and execute arbitrary commands. The vulnerability requires local access, high attack complexity, and user interaction, resulting in a CVSS 3.1 score of 4.4 (Medium). CISA publ [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-25088

CVE-2024-25088 is a local privilege escalation vulnerability affecting 37 Mitsubishi Electric FA Engineering Software products. If malicious code executes on a computer where affected software is installed, a local attacker may gain Windows system privileges and execute arbitrary commands. The vulnerability was published on 2024-05-14 and most recently updated on 2026-01-15 (Update E), which added version [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-25087

A local denial-of-service vulnerability in 37 Mitsubishi Electric FA engineering software products allows an attacker with low privileges to trigger a Windows blue screen error (BSOD) if malicious code is already executing on the target system. The vulnerability requires high attack complexity and user interaction, limiting its practical exploitability. CISA published the initial advisory on 2024-05-14, w [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-25086

A local privilege escalation vulnerability in 37 Mitsubishi Electric FA engineering software products allows attackers with local access and user privileges to gain Windows system privileges and execute arbitrary commands. The vulnerability requires high attack complexity and user interaction, with a medium CVSS 3.1 score of 4.4. CISA published the initial advisory on May 14, 2024, with the most recent Up [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-22106

CVE-2024-22106 is a local privilege escalation and denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. Published on 2024-05-14 and last modified on 2026-01-15 (Update E), this vulnerability requires an attacker to already execute malicious code on the target system. Successful exploitation can trigger a Windows blue screen error (denial-of-service) or grant W [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-22105

CVE-2024-22105 is a local denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a computer where affected software is installed, a local attacker can trigger a Windows blue screen error, resulting in denial-of-service. The vulnerability requires local access, low privileges, and user interaction, with high attack complexity. CISA p [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-22104

A local denial-of-service vulnerability in Mitsubishi Electric FA engineering software products allows an attacker with low privileges to trigger a Windows blue screen error by executing malicious code on a system where affected software is installed. The vulnerability requires high attack complexity and user interaction, limiting its exploitability but presenting a risk to operational continuity in indus [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-22103

CVE-2024-22103 is a local denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a computer where affected software is installed, a local attacker can trigger a Windows blue screen error, resulting in denial-of-service. The vulnerability requires local access, low privileges, and user interaction, with high attack complexity. CISA p [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2024-22102

CVE-2024-22102 is a local denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a computer where affected software is installed, a local attacker can trigger a Windows blue screen error, resulting in denial-of-service. The vulnerability was published on May 14, 2024, and most recently updated on January 15, 2026 (Update E), which a [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2023-51778

CVE-2023-51778 is a local denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a computer where affected software is installed, a local attacker can trigger a Windows blue screen error, resulting in denial-of-service. The vulnerability requires local access, low privileges, and user interaction, with high attack complexity. CISA p [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2023-51777

CVE-2023-51777 is a local denial-of-service vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a host with affected software installed, a local attacker can trigger a Windows blue screen error, resulting in system unavailability. The vulnerability requires local access, low privileges, and user interaction, with high attack complexity. CISA publi [truncated]

MEDIUM Mitsubishi Electric CVE published 2024-05-14

CVE-2023-51776

CVE-2023-51776 is a local privilege escalation vulnerability affecting 37 Mitsubishi Electric FA engineering software products. If malicious code executes on a system with affected software installed, a local attacker can gain Windows system privileges and execute arbitrary commands. The vulnerability was published on 2024-05-14 and most recently modified on 2026-01-15 as Update E, which added version inf [truncated]