CVE-2025-3755 is a critical vulnerability identified in Mitsubishi Electric Corporation's MELSEC iQ-F Series FX5U-32MT/ES CPU modules. The root cause is an improper validation of specified index, position, or offset in input data (classified under CWE-1285). This flaw allows a remote, unauthenticated attacker to send specially crafted packets to the affected device, resulting in multiple potential impacts. Firstly, the attacker can read sensitive information from the device, compromising confidentiality. Secondly, the vulnerability can be exploited to cause a Denial-of-Service (DoS) condition on the MELSOFT connection, disrupting communication between the CPU module and the programming/monitoring software. Thirdly, the attacker can stop the operation of the CPU module itself, causing a DoS condition that halts the industrial control processes managed by the PLC. Recovery from such an attack requires a physical reset of the device, indicating that the attack can cause persistent disruption. The CVSS v3.1 base score is 9.1, reflecting the critical nature of this vulnerability. The attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts confidentiality and availability severely (C:H, A:H), but not integrity (I:N). The vulnerability affects all versions of the FX5U-32MT/ES CPU modules, indicating a widespread exposure. No patches or known exploits in the wild are reported at the time of publication, but the severity and ease of exploitation make this a high-risk issue for industrial environments relying on these PLCs.

For European organizations, especially those in manufacturing, utilities, and critical infrastructure sectors that utilize Mitsubishi Electric's MELSEC iQ-F Series PLCs, this vulnerability poses a significant risk. Exploitation can lead to unauthorized disclosure of operational data, potentially revealing sensitive process information or intellectual property. More critically, the ability to cause DoS conditions on the MELSOFT connection and CPU modules can disrupt industrial automation processes, leading to operational downtime, production losses, safety hazards, and potential cascading effects on supply chains. Given the reliance on these PLCs for real-time control, an attack could also impact safety systems, increasing the risk of physical damage or injury. The requirement for a device reset to recover from the DoS condition means that automated recovery is not possible, potentially prolonging downtime. The lack of authentication and user interaction requirements lowers the barrier for attackers, increasing the likelihood of exploitation. European organizations with interconnected industrial networks or those exposed to external networks are particularly vulnerable.

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Network Segmentation: Isolate MELSEC iQ-F Series PLCs and MELSOFT programming interfaces within dedicated, secure industrial network segments with strict access controls to minimize exposure to untrusted networks. 2) Access Control: Restrict network access to the PLCs to only trusted management stations and authorized personnel using firewalls and network access control lists (ACLs). 3) Monitoring and Anomaly Detection: Deploy network monitoring solutions capable of detecting unusual or malformed packets targeting the PLCs, enabling rapid detection of exploitation attempts. 4) Incident Response Preparedness: Develop and rehearse incident response plans that include procedures for safely resetting affected CPU modules to minimize downtime. 5) Vendor Coordination: Engage with Mitsubishi Electric for updates on patches or firmware upgrades addressing this vulnerability and plan timely deployment once available. 6) Physical Security: Ensure physical access to PLCs is controlled to prevent unauthorized manual resets or tampering. 7) Network Hardening: Disable unnecessary services and protocols on the PLCs and related devices to reduce the attack surface. 8) Regular Audits: Conduct periodic security assessments of industrial control systems to identify and remediate exposure to this and similar vulnerabilities.