Skip to main content

CVE-2025-5241: CWE-645 Overly Restrictive Account Lockout Mechanism in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES

Medium
VulnerabilityCVE-2025-5241cvecve-2025-5241cwe-645
Published: Fri Jul 11 2025 (07/11/2025, 00:16:43 UTC)
Source: CVE Database V5
Vendor/Project: Mitsubishi Electric Corporation
Product: MELSEC iQ-F Series FX5U-32MT/ES

Description

Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset.

AI-Powered Analysis

AILast updated: 07/11/2025, 00:46:34 UTC

Technical Analysis

CVE-2025-5241 identifies a vulnerability in the Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES programmable logic controllers (PLCs). The issue stems from an overly restrictive account lockout mechanism designed to protect against brute-force login attempts. Specifically, the vulnerability allows a remote unauthenticated attacker to deliberately trigger repeated failed login attempts, causing the system to lock out legitimate users for a predefined period or until the device is reset. This lockout prevents authorized personnel from accessing the device during the lockout window, effectively resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-645, which relates to improper restriction of excessive authentication attempts. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability only (A:L) without affecting confidentiality or integrity. All versions of the affected product are vulnerable, and no patches or mitigations have been officially released as of the publication date. No known exploits are currently reported in the wild. The vulnerability is significant because MELSEC iQ-F Series PLCs are widely used in industrial automation environments, including manufacturing, utilities, and critical infrastructure sectors. An attacker exploiting this flaw could disrupt industrial processes by denying operator access to control systems, potentially causing operational delays or safety risks if timely interventions are blocked.

Potential Impact

For European organizations, especially those operating in industrial sectors such as manufacturing, energy, water treatment, and transportation, this vulnerability poses a risk of operational disruption. The MELSEC iQ-F Series PLCs are commonly deployed in automated control systems across Europe. An attacker exploiting this vulnerability could remotely lock out legitimate operators from accessing critical control devices, leading to downtime or delayed response to process anomalies. While the vulnerability does not allow data theft or manipulation, the denial of service effect could impact production lines, safety systems, or infrastructure management. In regulated industries, such disruptions could also lead to compliance violations or financial penalties. The risk is heightened in environments where remote access to PLCs is enabled without adequate network segmentation or monitoring. Given the lack of patches, organizations must rely on compensating controls to mitigate the threat. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors often target industrial control systems in Europe due to their critical role in the economy and infrastructure.

Mitigation Recommendations

To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Network Segmentation: Isolate MELSEC iQ-F Series PLCs from general IT networks and restrict access to trusted management stations only, using firewalls and VLANs. 2) Access Control: Enforce strict access control policies, including limiting remote access to PLCs via VPNs with multi-factor authentication and IP whitelisting. 3) Monitoring and Alerting: Deploy intrusion detection systems (IDS) and continuous monitoring to detect repeated failed login attempts indicative of lockout attacks. 4) Incident Response Planning: Prepare procedures to quickly reset devices or restore access in case of lockout, minimizing downtime. 5) Vendor Engagement: Maintain communication with Mitsubishi Electric for updates or patches and apply them promptly once available. 6) Physical Security: Ensure physical access to PLCs is restricted to prevent manual resets or tampering. 7) User Training: Educate operators on recognizing lockout symptoms and reporting incidents promptly. These targeted actions go beyond generic advice by focusing on network architecture, access restrictions, and operational readiness tailored to the industrial control environment.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mitsubishi
Date Reserved
2025-05-27T03:34:31.761Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 68705b4fa83201eaacaad88d

Added to database: 7/11/2025, 12:31:11 AM

Last enriched: 7/11/2025, 12:46:34 AM

Last updated: 7/11/2025, 3:53:17 AM

Views: 3

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats