1. EXECUTIVE SUMMARY
- CVSS v3 9.1
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Mitsubishi Electric
- Equipment: MELSEC iQ-F Series
- Vulnerability: Improper Validation of Specified Index, Position, or Offset in Input
2. RISK EVALUATION
Successful exploitation of this vulnerability could allow an attacker to read confidential information, cause a denial-of-service condition, or stop operations by sending specially crafted packets.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Mitsubishi Electric MELSEC iQ-F Series are affected. Products with [Note *1] are sold in limited regions:
- FX5U-xMy/z x=32, 64, 80, y=T, R, z=ES,DS, ESS, DSS: All versions
- FX5UC-xMy/z x=32, 64, 96, y=T, z=D, DSS: All versions
- FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS: All versions
- FX5UJ-xMy/z x=24, 40, 60, y=T, R, z=ES,DS,ESS,DSS: All versions
- FX5UJ-xMy/ES-A[Note *1] x=24, 40, 60, y=T, R: All versions
- FX5S-xMy/z x=30, 40, 60, 80[Note *1], y=T, R, z= ES,DS,ESS,DSS: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 IMPROPER VALIDATION OF SPECIFIED INDEX, POSITION, OR OFFSET IN INPUT CWE-1285
This vulnerability allows a remote attacker to read information in the product, cause a Denial-of-Service (DoS) condition in MELSOFT connection communication with Mitsubishi Electric FA products such as GX Works3 and GOT, or stop the operation of the CPU module (causing a DoS condition on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery.
CVE-2025-3755 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.1 has been calculated; the CVSS vector string is (This article has been indexed from All CISA Advisories