CVE-2025-3511 is a vulnerability identified in multiple Mitsubishi Electric Corporation CC-Link IE TSN products, including the Remote I/O module NZ2GN2S1-32D, Analog-Digital Converter module, Digital-Analog Converter module, FPGA module, and Remote Station Communication LSI CP620 with GbE-PHY. The root cause of the vulnerability is improper validation of the specified quantity in input data, classified under CWE-1284. Specifically, these devices fail to properly validate the quantity parameter in incoming UDP packets. This flaw allows a remote attacker, without requiring authentication, to send specially crafted UDP packets to the affected devices and trigger a Denial of Service (DoS) condition. The DoS impact likely results from resource exhaustion or unexpected behavior caused by malformed input, leading to device malfunction or crash. The vulnerability affects versions 09 and prior of the listed products. Notably, exploitation requires no user interaction and can be performed remotely over the network, as the attack vector is UDP packets. No known exploits are currently reported in the wild, and no patches have been published at the time of disclosure. The vulnerability was reserved and published in April 2025, and it has been enriched by CISA, indicating recognition by US cybersecurity authorities. The affected products are industrial control system (ICS) components used in automation and manufacturing environments, leveraging the CC-Link IE TSN protocol for real-time industrial Ethernet communication. Given the critical role of these devices in operational technology (OT) networks, the vulnerability poses a risk to industrial availability and operational continuity.

For European organizations, especially those operating in manufacturing, industrial automation, energy, and critical infrastructure sectors, this vulnerability presents a significant risk to operational continuity. The affected Mitsubishi CC-Link IE TSN modules are integral to real-time control and monitoring systems. A successful DoS attack could disrupt production lines, cause downtime in critical processes, or impair safety systems dependent on these modules. Since the attack requires no authentication and can be launched remotely via UDP, it expands the threat surface to potentially any exposed network segment where these devices reside. This could lead to financial losses due to halted production, damage to equipment from uncontrolled states, and safety hazards if control systems fail. Additionally, disruption in supply chains or energy distribution managed by these systems could have cascading effects. The medium severity rating reflects the lack of direct data confidentiality or integrity compromise but highlights the critical impact on availability. European organizations with OT environments using Mitsubishi CC-Link IE TSN products must consider this vulnerability a priority for risk management and incident preparedness.

1. Network Segmentation: Isolate CC-Link IE TSN devices on dedicated OT network segments with strict access controls to limit exposure to untrusted networks. 2. UDP Traffic Filtering: Implement firewall rules or intrusion prevention systems (IPS) to block or restrict unsolicited UDP traffic targeting the affected devices, especially from external or less trusted network zones. 3. Monitoring and Anomaly Detection: Deploy network monitoring tools capable of detecting unusual UDP packet patterns or spikes in traffic to the affected modules, enabling early detection of exploitation attempts. 4. Vendor Coordination: Engage with Mitsubishi Electric Corporation for updates on patches or firmware upgrades addressing this vulnerability. Plan and test timely deployment of such updates once available. 5. Incident Response Preparedness: Develop and rehearse response plans for DoS incidents affecting OT devices, including fallback procedures to maintain operational continuity. 6. Asset Inventory and Exposure Assessment: Maintain an accurate inventory of all CC-Link IE TSN devices and assess their network exposure to prioritize mitigation efforts. 7. Disable Unnecessary Services: Where possible, disable or restrict UDP services on the affected devices to reduce the attack surface. 8. Physical Security: Ensure physical access controls to prevent local exploitation or tampering that could facilitate remote attacks.