Mitsubishi Electric 2025: Denial-of-Service Vulnerability Impacts Industrial Control Systems
Executive Summary
In November 2025, a denial-of-service (DoS) vulnerability (CVE-2025-10259) impacting Mitsubishi Electric MELSEC iQ-F Series programmable logic controllers was publicly disclosed. Researchers from Zhongguancun Laboratory and Tsinghua University identified that improper validation in the TCP communication module allowed remote attackers to send specially crafted TCP packets, causing affected devices to disconnect and become temporarily unresponsive. The vulnerability (CVSS 5.3) requires no authentication and can be exploited remotely, posing a notable risk to industrial control systems in the critical manufacturing sector worldwide.
This incident highlights persistent cybersecurity weaknesses in industrial IoT and critical infrastructure devices, which attackers increasingly target to disrupt operations. As regulatory expectations and threat actor sophistication rise, even moderate-severity flaws in ICS environments must be prioritized and mitigated decisively.
Why This Matters Now
Industrial organizations face mounting risks from remotely exploitable ICS vulnerabilities like this one, which could disrupt manufacturing processes and critical operations. As attackers focus on supply chain and operational targets, swift mitigation and network segmentation are urgent to prevent costly downtime and meet evolving compliance benchmarks.
Attack Path Analysis
An attacker remotely exploited an input validation flaw in the MELSEC iQ-F Series by sending crafted TCP packets to initiate a denial-of-service (DoS). No privilege escalation or lateral movement occurred, but the approach could allow for reconnaissance against industrial systems if left unchecked. The attacker established initial remote connections to the target device, leveraging accessible network paths. There was no evidence of data exfiltration, but availability was disrupted as the attack caused the targeted PLC connection to drop, impacting device functionality.
Kill Chain Progression
Initial Compromise
Description
Adversary remotely accessed the MELSEC iQ-F PLC via exposed TCP services and sent crafted packets exploiting the improper input validation vulnerability.
Related CVEs
CVE-2025-10259
CVSS 5.3A denial-of-service (DoS) vulnerability in the TCP communication function of Mitsubishi Electric MELSEC iQ-F Series CPU modules allows a remote attacker to disconnect the connection by sending specially crafted TCP packets, causing a DoS condition on the product.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploitCVE-2025-5241
CVSS 5.3A denial-of-service (DoS) vulnerability in the MELSEC iQ-F Series due to an overly restrictive account lockout mechanism allows a remote attacker to lock out legitimate users for a certain period by repeatedly attempting to log in with incorrect passwords.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploitCVE-2025-3755
CVSS 9.1An information disclosure and denial-of-service (DoS) vulnerability in the MELSEC iQ-F Series CPU module allows a remote attacker to read information, cause a DoS condition in MELSOFT connection, or stop the operation of the CPU module by sending specially crafted packets.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploitCVE-2025-7405
CVSS 7.3An information disclosure, information tampering, and denial-of-service (DoS) vulnerability in the MELSEC iQ-F Series CPU module due to missing authentication for critical functions allows an attacker to read or write device values and stop program operations.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploitCVE-2025-7731
CVSS 7.5An information disclosure vulnerability in the MELSEC iQ-F Series CPU module due to cleartext transmission of sensitive information allows an attacker to obtain credential information by intercepting SLMP communication messages, potentially leading to unauthorized access and control.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploitCVE-2025-5514
CVSS 5.3A denial-of-service (DoS) vulnerability in the web server function of the MELSEC iQ-F Series CPU module allows a remote attacker to delay processing and prevent legitimate users from utilizing the web server function by sending specially crafted HTTP requests.
Affected Products:
Mitsubishi Electric MELSEC iQ-F Series – All versions
Exploit Status:
no public exploit
MITRE ATT&CK® Techniques
Endpoint Denial of Service
Call Control Protocol Flood
Communication Protocol Spoofing
Exploitation for Denial
Modify System Process
Alarm Flood
Valid Accounts
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Implement Demilitarized Zones (DMZ) and Segmentation
Control ID: 1.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 10(1)
CISA ZTMM 2.0 – Segmentation and Network Controls
Control ID: Network and Environment - Segment and Control
NIS2 Directive – Incident Prevention and Protection
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Industrial Automation
Critical exposure as Mitsubishi MELSEC iQ-F PLCs are core automation components. DoS attacks could halt production lines and compromise operational technology networks.
Automotive
Manufacturing operations heavily dependent on MELSEC controllers face production disruption risks. TCP-based DoS vulnerabilities threaten assembly line continuity and quality control systems.
Oil/Energy/Solar/Greentech
Energy infrastructure using affected PLCs vulnerable to service disruption. Remote DoS attacks could impact power generation, distribution systems, and renewable energy operations.
Utilities
Water treatment, electrical grid, and utility control systems using MELSEC iQ-F controllers face operational disruption from TCP-based denial-of-service vulnerability exploitation.
Sources
- Mitsubishi Electric MELSEC iQ-F Serieshttps://www.cisa.gov/news-events/ics-advisories/icsa-25-317-01Verified
- Denial-of-Service(DoS) Vulnerability in TCP Communication Function on MELSEC iQ-F Series CPU modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-014_en.pdfVerified
- Denial-of-Service Vulnerability in MELSEC iQ-F Serieshttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-005_en.pdfVerified
- Information Disclosure and Denial-of-Service(DoS) Vulnerability in MELSEC iQ-F Series CPU modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-003_en.pdfVerified
- Information Disclosure, Information Tampering, and Denial of Service (DoS) Vulnerability in MELSEC iQ-F Series CPU modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-011_en.pdfVerified
- Information Disclosure Vulnerability in MELSEC iQ-F Series CPU modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-012_en.pdfVerified
- Denial-of-Service(DoS) Vulnerability in Web server function on MELSEC iQ-F Series CPU modulehttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-010_en.pdfVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, encrypted traffic enforcement, and distributed policy controls would have constrained attacker reach—limiting unauthorized TCP access to the PLC, preventing direct service abuse, and providing rapid response to anomalous DoS attempts.
Control: Zero Trust Segmentation
Mitigation: Unauthorized remote access to PLC endpoints would be blocked.
Control: Zero Trust Segmentation
Mitigation: Lack of excessive privilege paths would limit potential for escalation.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts within ICS network would be detected and blocked.
Control: Threat Detection & Anomaly Response
Mitigation: Malicious anomalous connections and traffic patterns would be rapidly detected.
Control: Egress Security & Policy Enforcement
Mitigation: Unusual outbound communications would be blocked or flagged.
Known exploit signatures and DoS patterns would be blocked in real time.
Impact at a Glance
Affected Business Functions
- Manufacturing Operations
- Process Control Systems
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive operational data and disruption of manufacturing processes.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce Zero Trust segmentation around all critical ICS/OT devices to restrict inbound and internal network access.
- • Deploy line-rate encrypted traffic controls (MACsec/IPsec) to protect device communication from interception and manipulation.
- • Implement east-west workload isolation to prevent lateral movement between controllers and critical plant systems.
- • Utilize inline IPS and advanced threat detection for rapid identification and automatic mitigation of exploit attempts targeting ICS vulnerabilities.
- • Establish continuous egress and policy controls to block unauthorized external communications and monitor for anomalous traffic patterns.
