CVE-2025-10089
📋 TL;DR
This CVE describes an uncontrolled search path element vulnerability in Mitsubishi Electric's MILCO.S lighting control system applications. It allows a local attacker to execute malicious code by tricking the installer into loading a malicious DLL during installation. The vulnerability only affects the installation process and does not impact systems after installation is complete.
💻 Affected Systems
- MILCO.S Setting Application
- MILCO.S Setting Application (IR)
- MILCO.S Easy Setting Application (IR)
- MILCO.S Easy Switch Application (IR)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise through arbitrary code execution with installer privileges, potentially leading to persistent malware installation or system takeover.
Likely Case
Local privilege escalation or malware installation during the installation process if an attacker can place malicious DLLs in the search path.
If Mitigated
No impact if installation is performed from official sources and proper file integrity checks are in place.
🎯 Exploit Status
Requires local access and ability to place malicious DLL in installer search path. No exploitation after installation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed versions with digital signature 'Mitsubishi Electric Lighting'
Vendor Advisory: https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-015_en.pdf
Restart Required: No
Instructions:
1. Download updated installer from official Mitsubishi Electric website. 2. Verify digital signature contains 'Mitsubishi Electric Lighting'. 3. Reinstall affected applications using updated installer.
🔧 Temporary Workarounds
Restrict installer execution
windowsOnly allow installation from trusted sources and by authorized personnel
Verify digital signatures
windowsCheck installer properties for 'Mitsubishi Electric Lighting' digital signature before installation
🧯 If You Can't Patch
- Only install from official Mitsubishi Electric website downloads
- Implement strict access controls on installation directories and installer execution
🔍 How to Verify
Check if Vulnerable:
Check if installed applications lack 'Mitsubishi Electric Lighting' digital signature in propertiesCheck Version:
Check file properties of MILCO.S Lighting Control.exe for digital signature detailsVerify Fix Applied:
Verify installer and installed executables have 'Mitsubishi Electric Lighting' digital signature📡 Detection & Monitoring
Log Indicators:
- Unusual installer execution from non-standard locations
- DLL loading from unexpected directories during installation
Network Indicators:
- No network indicators - local vulnerability only
SIEM Query:
Process creation events for MILCO.S installer from non-standard paths