CVE-2025-3755 is a critical vulnerability identified in Mitsubishi Electric Corporation's MELSEC iQ-F Series CPU modules, specifically the FX5U-32MT/ES models. The vulnerability stems from improper validation of specified index, position, or offset in input data, classified under CWE-1285. This flaw allows a remote, unauthenticated attacker to exploit the system by sending specially crafted packets to the affected device. Successful exploitation can lead to multiple adverse outcomes: unauthorized reading of sensitive information stored or processed by the device, causing a Denial-of-Service (DoS) condition in the MELSOFT connection interface, or halting the CPU module's operation entirely, which also results in a DoS condition. Recovery from such an attack requires a manual reset of the device, indicating a persistent disruption. The vulnerability affects all versions of the FX5U-32MT/ES CPU modules, highlighting a broad attack surface. The CVSS v3.1 base score of 9.1 reflects the high severity, with an attack vector that is network-based (AV:N), requiring no privileges (PR:N) or user interaction (UI:N), and impacting confidentiality (C:H) and availability (A:H) but not integrity (I:N). No known exploits are currently reported in the wild, and no patches have been released at the time of publication, increasing the urgency for mitigation. The vulnerability's root cause lies in insufficient input validation, which is a common and critical security oversight in industrial control systems (ICS) and programmable logic controllers (PLCs), potentially allowing attackers to disrupt critical industrial processes remotely.

For European organizations, especially those operating in industrial sectors such as manufacturing, energy, utilities, and critical infrastructure, this vulnerability poses a significant risk. The MELSEC iQ-F Series PLCs are widely used in automation and control systems across Europe. Exploitation could lead to unauthorized disclosure of operational data, potentially revealing sensitive process information or intellectual property. More critically, the ability to cause DoS conditions on the MELSOFT connection or the CPU module itself can halt industrial processes, leading to operational downtime, safety hazards, and financial losses. In sectors like energy production or water treatment, such disruptions could have cascading effects on public safety and service continuity. The unauthenticated nature of the attack vector means that attackers do not need prior access or credentials, increasing the threat from external adversaries, including cybercriminals and state-sponsored actors. The lack of available patches further exacerbates the risk, as organizations must rely on compensating controls until a fix is released. The necessity to reset the device manually after an attack implies potential prolonged downtime and increased maintenance efforts. Overall, the vulnerability threatens confidentiality and availability, with no impact on integrity, but the operational disruption alone is critical for industrial environments.

Given the absence of an official patch, European organizations should implement immediate compensating controls to mitigate risk. First, network segmentation should be enforced to isolate MELSEC iQ-F Series PLCs from general IT networks and restrict access to trusted management stations only. Deploy strict firewall rules to block unauthorized inbound traffic to the PLCs, especially from untrusted external networks. Intrusion detection and prevention systems (IDS/IPS) should be tuned to detect anomalous packets targeting the MELSOFT protocol or unusual traffic patterns to the PLCs. Employ network-level authentication and VPNs for remote access to ensure only authorized personnel can communicate with these devices. Regularly monitor logs and network traffic for signs of exploitation attempts. Additionally, organizations should prepare incident response plans specific to PLC DoS scenarios, including procedures for safely resetting affected devices to minimize downtime. Engage with Mitsubishi Electric for timely updates and patches, and plan for rapid deployment once available. Finally, consider implementing application-layer gateways or protocol-aware proxies that can validate and sanitize inputs before they reach the PLCs, reducing the risk of malformed packet exploitation.