Mitsubishi Electric MELSEC iQ-F CVE-2025-7731: Brief Summary of Cleartext Transmission Vulnerability

A brief summary of CVE-2025-7731, a cleartext transmission vulnerability in Mitsubishi Electric's MELSEC iQ-F Series CPU modules. This post covers technical details, affected versions, and vendor security history based on available advisories and research.
CVE Analysis

10 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-08-31

Mitsubishi Electric MELSEC iQ-F CVE-2025-7731: Brief Summary of Cleartext Transmission Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Credential theft and unauthorized device manipulation in manufacturing environments can have direct operational and safety consequences. CVE-2025-7731 exposes a critical flaw in Mitsubishi Electric's MELSEC iQ-F Series CPU modules, allowing attackers to intercept cleartext credentials and take control of programmable logic controllers (PLCs) used in factories worldwide.

About Mitsubishi Electric and MELSEC: Mitsubishi Electric is a leading global supplier of industrial automation and control systems, with the MELSEC product line deployed in a wide range of manufacturing and critical infrastructure environments. The MELSEC iQ-F Series is a modern PLC family used for controlling industrial processes, making this vulnerability relevant to a large number of organizations in the manufacturing sector.

Technical Information

CVE-2025-7731 is caused by the cleartext transmission of sensitive authentication information in the Seamless Message Protocol (SLMP) implemented by MELSEC iQ-F Series CPU modules. When an external device (such as an engineering workstation or HMI) communicates with a vulnerable PLC over Ethernet, SLMP transmits credential information in cleartext, without any encryption or obfuscation.

An attacker with access to the same network segment as the PLC can use standard packet capture tools (such as Wireshark) to intercept SLMP messages. Because credentials are not protected, the attacker can extract valid authentication data directly from network traffic. With these credentials, the attacker can:

  • Read or write device values on the PLC
  • Stop the execution of control programs

No authentication, privilege escalation, or user interaction is required. The attack complexity is low, and exploitation only requires network access to the SLMP communication channel. The vulnerability is present in all firmware versions of the affected product lines. Mitsubishi Electric has confirmed that no firmware fix will be released for this issue.

Affected Systems and Versions

The following MELSEC iQ-F Series CPU module families and models are affected. All versions of these models are vulnerable:

FX5U Series:

  • FX5U-32MT/ES, FX5U-32MT/DS, FX5U-32MT/ESS, FX5U-32MT/DSS
  • FX5U-32MR/ES, FX5U-32MR/DS
  • FX5U-64MT/ES, FX5U-64MT/DS, FX5U-64MT/ESS, FX5U-64MT/DSS
  • FX5U-64MR/ES, FX5U-64MR/DS
  • FX5U-80MT/ES, FX5U-80MT/DS, FX5U-80MT/ESS, FX5U-80MT/DSS
  • FX5U-80MR/ES, FX5U-80MR/DS

FX5UC Series:

  • FX5UC-32MT/D, FX5UC-32MT/DSS, FX5UC-64MT/D, FX5UC-64MT/DSS
  • FX5UC-96MT/D, FX5UC-96MT/DSS
  • FX5UC-32MT/DS-TS, FX5UC-32MT/DSS-TS, FX5UC-32MR/DS-TS

FX5UJ Series:

  • FX5UJ-24MT/ES, FX5UJ-24MT/DS, FX5UJ-24MT/ESS, FX5UJ-24MT/DSS
  • FX5UJ-24MR/ES, FX5UJ-24MR/DS
  • FX5UJ-40MT/ES, FX5UJ-40MT/DS, FX5UJ-40MT/ESS, FX5UJ-40MT/DSS
  • FX5UJ-40MR/ES, FX5UJ-40MR/DS
  • FX5UJ-60MT/ES, FX5UJ-60MT/DS, FX5UJ-60MT/ESS, FX5UJ-60MT/DSS
  • FX5UJ-60MR/ES, FX5UJ-60MR/DS
  • FX5UJ-24MT/ES-A, FX5UJ-24MR/ES-A, FX5UJ-40MT/ES-A, FX5UJ-40MR/ES-A, FX5UJ-60MT/ES-A, FX5UJ-60MR/ES-A

FX5S Series:

  • FX5S-30MT/ES, FX5S-30MT/DS, FX5S-30MT/ESS, FX5S-30MT/DSS
  • FX5S-30MR/ES, FX5S-30MR/DS
  • FX5S-40MT/ES, FX5S-40MT/DS, FX5S-40MT/ESS, FX5S-40MT/DSS
  • FX5S-40MR/ES, FX5S-40MR/DS
  • FX5S-60MT/ES, FX5S-60MT/DS, FX5S-60MT/ESS, FX5S-60MT/DSS
  • FX5S-60MR/ES, FX5S-60MR/DS
  • FX5S-80MT/ES, FX5S-80MT/DS, FX5S-80MT/ESS, FX5S-80MT/DSS
  • FX5S-80MR/ES, FX5S-80MR/DS

Some FX5S models are region-specific but remain vulnerable where deployed. All versions are affected; there is no unaffected firmware release.

Vendor Security History

Mitsubishi Electric has previously disclosed vulnerabilities in the MELSEC product line, including authentication bypass and denial of service issues. The company operates a Product Security Incident Response Team (PSIRT) and is a CVE Numbering Authority, indicating a mature vulnerability disclosure process. For CVE-2025-7731, the vendor has stated that no firmware fix will be provided, and mitigation must be handled by customers at the network level. Previous advisories for MELSEC products show that architectural security issues are an ongoing challenge.

References

Detect & fix
what others miss