Critical authentication bypass and OS command injection flaws in Mitsubishi Electric smartRTU
Take action: If you are using Mitsubishi Electric smartRTU versions 3.37 or earlier, be aware that they are critically vulnerable and the vendor won't release a fix. All you can do is make sure the devices are isolated in a separate network, with tightly controlled access from trusted sources only. Same goes for physical access to the devices.
Learn More
Mitsubishi Electric Europe B.V. is reporting multiple security vulnerabilities in their smartRTU product that could allow remote attackers to execute arbitrary commands without authentication.
Vulnerability summary
- CVE-2025-3232 (CVSS score 7.5) - Missing Authentication for Critical Function. Allows remote unauthenticated attackers to bypass authentication by utilizing a specific API route
- CVE-2025-3128 (CVSS score 9.8) - Improper Neutralization of Special Elements used in an OS Command. Enables execution of arbitrary OS commands to disclose sensitive information, tamper with system data, destroy or delete information and cause denial-of-service conditions
Affected products are Mitsubishi Electric smartRTU: Versions 3.37 and prior
Mitsubishi Electric Europe B.V. is reporting that there are no plans to release a fixed version and recommends the following mitigation measures:
- Use firewalls or virtual private networks (VPNs) to prevent unauthorized access when Internet access is required
- Use within a LAN and block access from untrusted networks through firewalls
- Implement web application firewalls (WAF) to filter, monitor and block malicious HTTP/HTTPS traffic
- Allow web client access only from trusted networks
