CISA issues alert on Mitsubishi Electric MELSEC iQ-F Series vulnerability

Mitsubishi Electric's MELSEC iQ-F Series programmable logic controllers are affected by a vulnerability involving improper validation of input quantities, which can result in Denial of Service (DoS).

The issue, identified as CVE-2025-10259, impacts all versions of multiple product models within the MELSEC iQ-F Series. The flaw resides in the Transmission Control Protocol (TCP) communication function on the Central Processing Unit (CPU) module. A remote actor can exploit this by sending specially crafted TCP packets, triggering disconnection of the targeted TCP connection, while other connections remain unaffected. This vulnerability carries a Common Vulnerability Scoring System (CVSS) version 3.1 base score of 5.3, with the vector indicating network-exploitable, low attack complexity, no privileges required, no user interaction, unchanged scope, and impact limited to availability.

Exploitation of this vulnerability can cause a DoS condition on the affected devices, disrupting specific TCP connections.

Mitsubishi Electric advises users to employ a Virtual Private Network (VPN) to secure communications when internet access is necessary and to limit physical access to the products and connected local area networks. Additional guidance is provided in Mitsubishi Electric's advisory 2025-014.

The Cybersecurity and Infrastructure Security Agency emphasizes that organizations should conduct thorough impact analyses and risk assessments before implementing defensive actions. CISA provides recommended practices for control systems security and encourages adoption of strategies aimed at the proactive defense of industrial control system assets.

Information on targeted cyber intrusion detection and mitigation is accessible through resources available on CISA's industrial control systems webpage. Reporting suspected malicious activity through established protocols to CISA is encouraged for incident tracking and correlation. No public reports of exploitation related to this vulnerability have been received by CISA to date.