CVE-2025-3755

CRITICAL9.1

Information Disclosure and Denial-of-Service(DoS) Vulnerability in MELSEC iQ-F Series CPU module

Published May 29, 2025

Modified 4 months ago

No fix available

Details

Improper Validation of Specified Index, Position, or Offset in Input vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series CPU modules allows a remote unauthenticated attacker to read information in the product, to cause a Denial-of-Service (DoS) condition in MELSOFT connection, or to stop the operation of the CPU module (causing a DoS condtion on the CPU module), by sending specially crafted packets. The product is needed to reset for recovery.

References

WEBhttps://jvn.jp/vu/JVNVU94070048/WEBhttps://www.cisa.gov/news-events/ics-advisories/icsa-25-153-03 ADVISORYhttps://www.cve.org/CVERecord?id=CVE-2025-3755 ADVISORYhttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-003_en.pdf

CVSS Analysis

CVSS v3.1

9.1

Exploitability

Attack Vector

NetworkAV:N

Attack Complexity

LowAC:L

Privileges Required

NonePR:N

User Interaction

NoneUI:N

Scope

UnchangedS:U

Impact

Confidentiality

HighC:H

Integrity

NoneI:N

Availability

HighA:H

9.1/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Weakness Type (CWE)

Other

CWE-1285

Ecosystems

Timeline

PublishedMay 29, 2025

ModifiedAug 27, 2025