CVE-2025-11009 is a vulnerability classified under CWE-312, indicating cleartext storage of sensitive information. It affects all versions of Mitsubishi Electric Corporation's GT Designer3 Version1 software used for programming and configuring GOT2000 and GOT1000 series human-machine interfaces (HMIs). The vulnerability arises because the software stores sensitive credentials in plaintext within project files. An attacker with local access to these project files, without requiring authentication or user interaction, can extract these plaintext credentials. These credentials can then be used to illegitimately operate or manipulate the GOT series devices, potentially compromising industrial control processes. The attack complexity is high, meaning the attacker needs specific conditions or knowledge to exploit it, and the attack vector is local, requiring physical or network access to the system storing the project files. The vulnerability impacts confidentiality severely but does not affect integrity or availability. No patches or fixes have been published yet, and no known exploits are reported in the wild. This vulnerability highlights a significant security weakness in how sensitive data is stored by industrial automation software, increasing the risk of unauthorized control over critical manufacturing systems.

For European organizations, especially those in manufacturing, energy, and critical infrastructure sectors that rely on Mitsubishi Electric's GT Designer3 software and GOT series HMIs, this vulnerability poses a significant confidentiality risk. Unauthorized access to plaintext credentials could allow attackers to manipulate industrial control systems, potentially leading to operational disruptions or safety incidents. Although the attack requires local access and has high complexity, insider threats or attackers who gain physical or network access to engineering workstations could exploit this vulnerability. The lack of integrity and availability impact limits the scope to unauthorized information disclosure and potential unauthorized control commands. However, given the strategic importance of industrial automation in Europe, exploitation could have cascading effects on production lines and critical services. The absence of patches increases exposure time, necessitating immediate compensating controls.

European organizations should implement strict access controls and physical security measures to limit local access to systems storing GT Designer3 project files. Encrypting project files or storing them on encrypted volumes can reduce the risk of credential disclosure. Regular audits and monitoring of access to engineering workstations and project files should be conducted to detect unauthorized access. Network segmentation should isolate engineering and HMI programming environments from broader corporate networks to reduce attack surface. Until official patches are released, consider using virtual desktop infrastructure (VDI) or hardened environments for HMI programming to limit credential exposure. Educate staff about the risks of local credential exposure and enforce strong endpoint security policies. Additionally, organizations should engage with Mitsubishi Electric for updates and apply patches promptly once available.