Mitsubishi Electric MELSEC iQ-F Series CVE-2025-7405: Brief Summary of Critical Missing Authentication Vulnerability

This post provides a brief summary of CVE-2025-7405, a missing authentication vulnerability in Mitsubishi Electric MELSEC iQ-F Series CPU modules. The flaw allows unauthenticated remote access to device values and program control via Modbus TCP. Includes affected versions, technical details, and vendor security history.
CVE Analysis

11 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-31

Mitsubishi Electric MELSEC iQ-F Series CVE-2025-7405: Brief Summary of Critical Missing Authentication Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Production lines, water treatment plants, and food manufacturing facilities using Mitsubishi Electric MELSEC iQ-F Series controllers are exposed to remote manipulation risks due to a missing authentication mechanism in Modbus TCP. Attackers can read or alter device values and stop industrial programs without credentials, directly impacting operational continuity and safety.

About Mitsubishi Electric and MELSEC iQ-F: Mitsubishi Electric is a global leader in industrial automation, with the MELSEC product line deployed in thousands of manufacturing, energy, and infrastructure sites worldwide. The iQ-F Series is a core programmable logic controller (PLC) family, known for its flexibility and integration in critical operations across diverse sectors.

Technical Information

CVE-2025-7405 is rooted in the lack of authentication in the Modbus TCP protocol implementation on MELSEC iQ-F Series CPU modules. Modbus TCP is a widely used industrial protocol, but in these devices, it does not require any authentication or authorization for critical functions. Any remote system with network access to the controller's Modbus TCP ports (typically 502 or 503) can:

  • Read device registers (disclose process values, configuration, and operational data)
  • Write to device registers (alter process parameters, manipulate logic, or cause unsafe states)
  • Stop the execution of control programs (triggering downtime or process interruption)

The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The device does not verify the identity or permissions of the remote party, so any Modbus TCP client can issue commands. No code snippets or specific PoC details are publicly available. Exploitation requires only network access and knowledge of the Modbus protocol.

Affected Systems and Versions

The following MELSEC iQ-F Series CPU modules are affected:

  • FX5U Series:

    • FX5U-32MT/ES, FX5U-32MT/DS, FX5U-32MR/ES, FX5U-32MR/DS
    • FX5U-64MT/ES, FX5U-64MT/DS, FX5U-64MR/ES, FX5U-64MR/DS
    • FX5U-80MT/ES, FX5U-80MT/DS, FX5U-80MR/ES, FX5U-80MR/DS
    • Affected firmware: Version 1.060 and later
  • FX5UC Series:

    • FX5UC-32MT/DSS, FX5UC-32MT/DS, FX5UC-64MT/DSS, FX5UC-64MT/DS
    • FX5UC-96MT/DSS, FX5UC-96MT/DS, FX5UC-32MT/DSS-TS, FX5UC-32MT/DS-TS
    • Affected firmware: Version 1.060 and later
  • FX5UJ Series:

    • FX5UJ-24MT/ES, FX5UJ-24MR/ES, FX5UJ-40MT/ES, FX5UJ-40MR/ES
    • FX5UJ-60MT/ES, FX5UJ-60MR/ES, FX5UJ-60MT/ESS, FX5UJ-60MR/ESS
    • FX5UJ-24MT/ES-A, FX5UJ-40MT/ES-A, FX5UJ-60MT/ES-A
    • All firmware versions
  • FX5S Series:

    • FX5S-30MT/ES, FX5S-30MR/ES, FX5S-40MT/ES, FX5S-40MR/ES
    • FX5S-60MT/ES, FX5S-60MR/ES, FX5S-80MT/ES, FX5S-80MR/ES
    • All firmware versions

No patch is planned for most affected models. The vulnerability is present regardless of configuration if Modbus TCP is enabled and accessible.

Vendor Security History

Mitsubishi Electric has faced several security issues in its MELSEC product line, including:

  • Previous authentication bypass and protocol parsing vulnerabilities (see CISA and vendor advisories)
  • A pattern of relying on network-level mitigations rather than firmware patches for OT vulnerabilities
  • Formal PSIRT established in 2019 and CVE Numbering Authority status since 2020
  • Patch response varies by product and vulnerability, but for CVE-2025-7405, no firmware fix is planned for most models

References

Detect & fix
what others miss