Introduction
Production lines, water treatment plants, and food manufacturing facilities using Mitsubishi Electric MELSEC iQ-F Series controllers are exposed to remote manipulation risks due to a missing authentication mechanism in Modbus TCP. Attackers can read or alter device values and stop industrial programs without credentials, directly impacting operational continuity and safety.
About Mitsubishi Electric and MELSEC iQ-F: Mitsubishi Electric is a global leader in industrial automation, with the MELSEC product line deployed in thousands of manufacturing, energy, and infrastructure sites worldwide. The iQ-F Series is a core programmable logic controller (PLC) family, known for its flexibility and integration in critical operations across diverse sectors.
Technical Information
CVE-2025-7405 is rooted in the lack of authentication in the Modbus TCP protocol implementation on MELSEC iQ-F Series CPU modules. Modbus TCP is a widely used industrial protocol, but in these devices, it does not require any authentication or authorization for critical functions. Any remote system with network access to the controller's Modbus TCP ports (typically 502 or 503) can:
- Read device registers (disclose process values, configuration, and operational data)
- Write to device registers (alter process parameters, manipulate logic, or cause unsafe states)
- Stop the execution of control programs (triggering downtime or process interruption)
The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The device does not verify the identity or permissions of the remote party, so any Modbus TCP client can issue commands. No code snippets or specific PoC details are publicly available. Exploitation requires only network access and knowledge of the Modbus protocol.
Affected Systems and Versions
The following MELSEC iQ-F Series CPU modules are affected:
-
FX5U Series:
- FX5U-32MT/ES, FX5U-32MT/DS, FX5U-32MR/ES, FX5U-32MR/DS
- FX5U-64MT/ES, FX5U-64MT/DS, FX5U-64MR/ES, FX5U-64MR/DS
- FX5U-80MT/ES, FX5U-80MT/DS, FX5U-80MR/ES, FX5U-80MR/DS
- Affected firmware: Version 1.060 and later
-
FX5UC Series:
- FX5UC-32MT/DSS, FX5UC-32MT/DS, FX5UC-64MT/DSS, FX5UC-64MT/DS
- FX5UC-96MT/DSS, FX5UC-96MT/DS, FX5UC-32MT/DSS-TS, FX5UC-32MT/DS-TS
- Affected firmware: Version 1.060 and later
-
FX5UJ Series:
- FX5UJ-24MT/ES, FX5UJ-24MR/ES, FX5UJ-40MT/ES, FX5UJ-40MR/ES
- FX5UJ-60MT/ES, FX5UJ-60MR/ES, FX5UJ-60MT/ESS, FX5UJ-60MR/ESS
- FX5UJ-24MT/ES-A, FX5UJ-40MT/ES-A, FX5UJ-60MT/ES-A
- All firmware versions
-
FX5S Series:
- FX5S-30MT/ES, FX5S-30MR/ES, FX5S-40MT/ES, FX5S-40MR/ES
- FX5S-60MT/ES, FX5S-60MR/ES, FX5S-80MT/ES, FX5S-80MR/ES
- All firmware versions
No patch is planned for most affected models. The vulnerability is present regardless of configuration if Modbus TCP is enabled and accessible.
Vendor Security History
Mitsubishi Electric has faced several security issues in its MELSEC product line, including:
- Previous authentication bypass and protocol parsing vulnerabilities (see CISA and vendor advisories)
- A pattern of relying on network-level mitigations rather than firmware patches for OT vulnerabilities
- Formal PSIRT established in 2019 and CVE Numbering Authority status since 2020
- Patch response varies by product and vulnerability, but for CVE-2025-7405, no firmware fix is planned for most models