Mitsubishi Electric Patches Critical Remote Takeover Flaw in MELSEC iQ-R Series PLCs
Take action: Make sure all MELSEC iQ-R Series PLCs are isolated from the public internet and accessible only from trusted networks. Then plan an update to firmware version 49.
Learn More
Mitsubishi Electric issued a critical security advisory for its MELSEC iQ-R Series programmable logic controllers (PLCs) that allows unauthenticated remote attackers to compromise industrial control processes.
The vulnerability is tracked as CVE-2025-15080 (CVSS score 9.4) - improper validation of specified quantity in input vulnerability affecting Mitsubishi Electric proprietary and SLMP communication protocols.
Attackers can exploit this by sending specially crafted packets with specific commands to the PLC's communication ports. Because the system fails to validate the quantity of data requested or provided in these packets, an attacker can trigger a buffer overflow and access other memory or crash the system.
Successful exploitation grants attackers the ability to read sensitive device data, extract portions of the control program, write malicious data to the device or cause a Denial-of-Service (DoS) attacks.
The flaw affects Mitsubishi Electric MELSEC iQ-R Series R08/16/32/120PCPU firmware versions 48 and earlier.
Mitsubishi Electric recommends that users immediately update their firmware to version 49 or later. Organizations should isolate affected PLCs behind firewalls, use VPNs for remote access, and implement IP filtering to restrict communication to known, trusted hosts.
