ICSA-26-036-02

Vulnerability from csaf_cisa - Published: 2026-02-05 07:00 - Updated: 2026-02-05 07:00
Summary
Mitsubishi Electric MELSEC iQ-R Series

Notes

Legal Notice and Terms of Use
This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).
Risk evaluation
Successful exploitation of this vulnerability may allow an attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial-of-service condition on the affected product.
Critical infrastructure sectors
Critical Manufacturing
Countries/areas deployed
Worldwide
Company headquarters location
Japan
Recommended Practices
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
Recommended Practices
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Recommended Practices
CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.
Recommended Practices
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Recommended Practices
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
Recommended Practices
No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "Mitsubishi Electric",
        "summary": "reported this vulnerability to CISA"
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Disclosure is not limited",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.cisa.gov/news-events/news/traffic-light-protocol-tlp-definitions-and-usage"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy \u0026 Use policy (https://www.cisa.gov/privacy-policy).",
        "title": "Legal Notice and Terms of Use"
      },
      {
        "category": "summary",
        "text": "Successful exploitation of this vulnerability may allow an attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial-of-service condition on the affected product.",
        "title": "Risk evaluation"
      },
      {
        "category": "other",
        "text": "Critical Manufacturing",
        "title": "Critical infrastructure sectors"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries/areas deployed"
      },
      {
        "category": "other",
        "text": "Japan",
        "title": "Company headquarters location"
      },
      {
        "category": "general",
        "text": "CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.",
        "title": "Recommended Practices"
      },
      {
        "category": "general",
        "text": "No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.",
        "title": "Recommended Practices"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "central@cisa.dhs.gov",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "ICS Advisory ICSA-26-036-02 JSON",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/OT/white/2026/icsa-26-036-02.json"
      },
      {
        "category": "self",
        "summary": "ICSA Advisory ICSA-26-036-02 - Web Version",
        "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-02"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/resources-tools/resources/ics-recommended-practices"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/publications/Cybersecurity_Best_Practices_for_Industrial_Control_Systems.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/topics/industrial-control-systems"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/ics-alerts/ics-alert-10-301-01"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/targeted-cyber-intrusion-detection-and-mitigation-strategies-update-b"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/secure-our-world/teach-employees-avoid-phishing"
      },
      {
        "category": "external",
        "summary": "Recommended Practices",
        "url": "https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks"
      }
    ],
    "title": "Mitsubishi Electric MELSEC iQ-R Series",
    "tracking": {
      "current_release_date": "2026-02-05T07:00:00.000000Z",
      "generator": {
        "date": "2026-02-04T21:49:04.303619Z",
        "engine": {
          "name": "CISA CSAF Generator",
          "version": "1.0.0"
        }
      },
      "id": "ICSA-26-036-02",
      "initial_release_date": "2026-02-05T07:00:00.000000Z",
      "revision_history": [
        {
          "date": "2026-02-05T07:00:00.000000Z",
          "legacy_version": "Initial",
          "number": "1",
          "summary": "Initial Republication of Mitsubishi Electric 2025-020"
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=48",
                "product": {
                  "name": "Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware: \u003c=48",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "MELSEC iQ-R Series R08/16/32/120PCPU firmware"
          }
        ],
        "category": "vendor",
        "name": "Mitsubishi Electric"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2025-15080",
      "cwe": {
        "id": "CWE-1284",
        "name": "Improper Validation of Specified Quantity in Input"
      },
      "notes": [
        {
          "category": "summary",
          "text": "An information disclosure, information tampering, and denial-of-service  vulnerability exists in Mitsubishi Electric proprietary protocol communication and SLMP communication used in FA products. An attacker may be able to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial-of-service condition on the affected product by sending a specially crafted packet containing a specific command to the affected product. ",
          "title": "Vulnerability Summary"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "cwe.mitre.org",
          "url": "https://cwe.mitre.org/data/definitions/1284.html"
        },
        {
          "category": "external",
          "summary": "www.cve.org",
          "url": "https://www.cve.org/CVERecord?id=CVE-2025-15080"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H"
        },
        {
          "category": "external",
          "summary": "www.first.org",
          "url": "https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N"
        }
      ],
      "remediations": [
        {
          "category": "mitigation",
          "details": "Mitsubishi Electric recommends users of the affected products follow the procedure below to update firmware version 49 or later. Download the update file for the fixed version, the engineering software for firmware upgrade, and the manual from the download website at https://www.mitsubishielectric.com/fa/download/index.html .  For details on updating the firmware, see MELSEC iQ-R Module Configuration Manual \"Appendix 2 Firmware Update Function\".",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.mitsubishielectric.com/fa/download/index.html"
        },
        {
          "category": "mitigation",
          "details": "Mitsubishi Electric recommends the following mitigations to reduce the risk of exploiting this vulnerability: Use a firewall or virtual private network (VPN) block access from untrusted networks and hosts using a firewall. Use the product within a LAN and block access from untrusted networks and hosts through a firewall. Use firewalls, IP filters, and similar controls to minimize connections to the product and prevent access from untrusted networks and hosts. For details on the IP filter function, refer to \"IP Filter\" in section 1.13, Security, of the MELSEC iQ-R Ethernet User\u0027s Manual (Application). Restrict physical access to the affected product and its connected LAN.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        },
        {
          "category": "mitigation",
          "details": "For specific update instructions and additional details see the Mitsubishi Electric advisory at https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf .",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf"
        },
        {
          "category": "mitigation",
          "details": "For further information, contact your local Mitsubishi Electric representative at https://www.mitsubishielectric.com/fa/service-support/index.html .",
          "product_ids": [
            "CSAFPID-0001"
          ],
          "url": "https://www.mitsubishielectric.com/fa/service-support/index.html"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.4,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ]
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.