CVE-2025-8531
📋 TL;DR
A remote attacker can send specially crafted packets to cause an integer underflow in Mitsubishi Electric MELSEC-Q Series PLCs, stopping Ethernet communication and control program execution when user authentication is enabled. This affects specific CPU models with serial numbers starting '24082' to '27081'. The vulnerability is only exploitable when the user authentication function is enabled, which is disabled by default unless configured with GX Works2 for compliance with China's Cybersecurity Law.
💻 Affected Systems
- MELSEC-Q Series Q03UDVCPU
- Q04UDVCPU
- Q06UDVCPU
- Q13UDVCPU
- Q26UDVCPU
- Q04UDPVCPU
- Q06UDPVCPU
- Q13UDPVCPU
- Q26UDPVCPU
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of industrial processes by stopping control program execution and Ethernet communication, potentially causing safety incidents, production downtime, or equipment damage.
Likely Case
Temporary denial of service affecting network communication and program execution until system restart, disrupting monitoring and control capabilities.
If Mitigated
No impact if user authentication is disabled (default configuration) or if affected devices are isolated from untrusted networks.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to the PLC's Ethernet interface. The attacker must know the target's network configuration and have user authentication enabled on the target.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates available from Mitsubishi Electric
Vendor Advisory: https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-013_en.pdf
Restart Required: No
Instructions:
1. Download firmware update from Mitsubishi Electric support portal. 2. Connect to PLC via programming cable. 3. Use GX Works3 to upload new firmware. 4. Verify firmware version after update.
🔧 Temporary Workarounds
Disable User Authentication
allDisable the user authentication function if not required for compliance
Use GX Works2/3 to access security settings and disable user authentication
Network Segmentation
allIsolate affected PLCs in separate network segments with strict firewall rules
Configure firewall to only allow necessary traffic from trusted sources
🧯 If You Can't Patch
- Implement strict network access controls to limit communication to trusted sources only
- Disable user authentication function if not required for regulatory compliance
- Monitor network traffic for anomalous packet patterns targeting PLC Ethernet ports
🔍 How to Verify
Check if Vulnerable:
Check PLC serial number first 5 digits and verify if user authentication is enabled using GX Works2/3Check Version:
Use GX Works3 to read PLC information and check firmware versionVerify Fix Applied:
Verify firmware version after update and confirm user authentication status📡 Detection & Monitoring
Log Indicators:
- PLC error logs showing communication failures
- Authentication failure logs if user authentication enabled
- Program execution stop events
Network Indicators:
- Unusual packet patterns to TCP/UDP ports used by MELSEC communication
- Multiple malformed packets to PLC IP addresses
- Traffic from unauthorized sources to PLC network segments
SIEM Query:
source_ip=* AND dest_port IN (5006,5007,5008) AND packet_size < 20 OR packet_size > 1500