Multiple Vulnerabilities in Mitsubishi Electric MELSOFT Update Manager Expose Industrial Systems
CISA alerts to critical flaws in Mitsubishi Electric's MELSOFT Update Manager, potentially allowing attackers to execute arbitrary code, tamper with data, or cause denial-of-service.
CISA has issued a critical alert regarding multiple vulnerabilities affecting Mitsubishi Electric's MELSOFT Update Manager software, specifically versions 1.000A through 1.014Q. These flaws, stemming from the integrated 7-Zip component, pose significant risks to industrial control systems and critical manufacturing environments worldwide.
The vulnerabilities include a heap-based buffer overflow (CVE-2025-53816), a NULL pointer dereference (CVE-2025-53817), and improper path resolution (CVE-2025-55188), along with an additional flaw identified as CVE-2025-11001. Successful exploitation by a local attacker could lead to severe consequences, ranging from denial-of-service conditions and information tampering to the execution of arbitrary code.
The primary attack vector involves convincing a legitimate user to decompress a specially crafted archive file using the vulnerable MELSOFT Update Manager. This mechanism allows attackers to leverage the flaws within the 7-Zip component, which is integral to the update management software. The CVSS v3.1 score for these vulnerabilities is rated as HIGH (8.8), underscoring the severity of the potential impact.
Mitsubishi Electric has acknowledged these issues and is providing a fix in version 1.015R of the MELSOFT Update Manager. Users are strongly advised to update to the latest version as soon as possible. Further details and download links for the patched version can be found on Mitsubishi Electric's Japanese download site, with a dedicated security advisory available in English.
For organizations unable to immediately apply the update, Mitsubishi Electric recommends several mitigation strategies. These include restricting the affected PCs to internal networks, blocking remote logins from untrusted sources, and implementing firewalls or VPNs to control access. Additionally, users should exercise caution with email attachments and web links from unknown sources and ensure anti-virus software is installed and up-to-date.
Physical security measures, such as restricting physical access to the affected systems and networks, are also recommended as a supplementary defense. These layered security approaches aim to minimize the attack surface and reduce the likelihood of successful exploitation while a permanent fix is being deployed.
The widespread deployment of Mitsubishi Electric products across critical infrastructure sectors globally, including critical manufacturing, highlights the broad potential impact of these vulnerabilities. The company's headquarters are located in Japan, but its products are utilized worldwide, making this a significant concern for international industrial operations.
This alert serves as a crucial reminder for organizations to maintain vigilance in patching and securing their industrial control systems. Prompt application of vendor-supplied updates and adherence to recommended security practices are essential to protect against potential cyber threats targeting operational technology environments.