CVE-2025-5241: CWE-645 Overly Restrictive Account Lockout Mechanism in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES
Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset.
AI Analysis
Technical Summary
CVE-2025-5241 identifies a vulnerability in the Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES programmable logic controllers (PLCs). The issue stems from an overly restrictive account lockout mechanism designed to protect against brute-force login attempts. Specifically, the vulnerability allows a remote unauthenticated attacker to deliberately trigger repeated failed login attempts, causing the system to lock out legitimate users for a predefined period or until the device is reset. This lockout prevents authorized personnel from accessing the device during the lockout window, effectively resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-645, which relates to improper restriction of excessive authentication attempts. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability only (A:L) without affecting confidentiality or integrity. All versions of the affected product are vulnerable, and no patches or mitigations have been officially released as of the publication date. No known exploits are currently reported in the wild. The vulnerability is significant because MELSEC iQ-F Series PLCs are widely used in industrial automation environments, including manufacturing, utilities, and critical infrastructure sectors. An attacker exploiting this flaw could disrupt industrial processes by denying operator access to control systems, potentially causing operational delays or safety risks if timely interventions are blocked.
Potential Impact
For European organizations, especially those operating in industrial sectors such as manufacturing, energy, water treatment, and transportation, this vulnerability poses a risk of operational disruption. The MELSEC iQ-F Series PLCs are commonly deployed in automated control systems across Europe. An attacker exploiting this vulnerability could remotely lock out legitimate operators from accessing critical control devices, leading to downtime or delayed response to process anomalies. While the vulnerability does not allow data theft or manipulation, the denial of service effect could impact production lines, safety systems, or infrastructure management. In regulated industries, such disruptions could also lead to compliance violations or financial penalties. The risk is heightened in environments where remote access to PLCs is enabled without adequate network segmentation or monitoring. Given the lack of patches, organizations must rely on compensating controls to mitigate the threat. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors often target industrial control systems in Europe due to their critical role in the economy and infrastructure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Network Segmentation: Isolate MELSEC iQ-F Series PLCs from general IT networks and restrict access to trusted management stations only, using firewalls and VLANs. 2) Access Control: Enforce strict access control policies, including limiting remote access to PLCs via VPNs with multi-factor authentication and IP whitelisting. 3) Monitoring and Alerting: Deploy intrusion detection systems (IDS) and continuous monitoring to detect repeated failed login attempts indicative of lockout attacks. 4) Incident Response Planning: Prepare procedures to quickly reset devices or restore access in case of lockout, minimizing downtime. 5) Vendor Engagement: Maintain communication with Mitsubishi Electric for updates or patches and apply them promptly once available. 6) Physical Security: Ensure physical access to PLCs is restricted to prevent manual resets or tampering. 7) User Training: Educate operators on recognizing lockout symptoms and reporting incidents promptly. These targeted actions go beyond generic advice by focusing on network architecture, access restrictions, and operational readiness tailored to the industrial control environment.
Affected Countries
Germany, France, Italy, United Kingdom, Netherlands, Belgium, Poland, Spain, Sweden, Czech Republic
CVE-2025-5241: CWE-645 Overly Restrictive Account Lockout Mechanism in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES
Description
Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series allows a remote unauthenticated attacker to lockout legitimate users for a certain period by repeatedly attempting to login with incorrect passwords. The legitimate users will be unable to login until a certain period has passed after the lockout or until the product is reset.
AI-Powered Analysis
Technical Analysis
CVE-2025-5241 identifies a vulnerability in the Mitsubishi Electric Corporation MELSEC iQ-F Series FX5U-32MT/ES programmable logic controllers (PLCs). The issue stems from an overly restrictive account lockout mechanism designed to protect against brute-force login attempts. Specifically, the vulnerability allows a remote unauthenticated attacker to deliberately trigger repeated failed login attempts, causing the system to lock out legitimate users for a predefined period or until the device is reset. This lockout prevents authorized personnel from accessing the device during the lockout window, effectively resulting in a denial of service (DoS) condition. The vulnerability is classified under CWE-645, which relates to improper restriction of excessive authentication attempts. The CVSS v3.1 base score is 5.3 (medium severity), reflecting that the attack vector is network-based (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and impacts availability only (A:L) without affecting confidentiality or integrity. All versions of the affected product are vulnerable, and no patches or mitigations have been officially released as of the publication date. No known exploits are currently reported in the wild. The vulnerability is significant because MELSEC iQ-F Series PLCs are widely used in industrial automation environments, including manufacturing, utilities, and critical infrastructure sectors. An attacker exploiting this flaw could disrupt industrial processes by denying operator access to control systems, potentially causing operational delays or safety risks if timely interventions are blocked.
Potential Impact
For European organizations, especially those operating in industrial sectors such as manufacturing, energy, water treatment, and transportation, this vulnerability poses a risk of operational disruption. The MELSEC iQ-F Series PLCs are commonly deployed in automated control systems across Europe. An attacker exploiting this vulnerability could remotely lock out legitimate operators from accessing critical control devices, leading to downtime or delayed response to process anomalies. While the vulnerability does not allow data theft or manipulation, the denial of service effect could impact production lines, safety systems, or infrastructure management. In regulated industries, such disruptions could also lead to compliance violations or financial penalties. The risk is heightened in environments where remote access to PLCs is enabled without adequate network segmentation or monitoring. Given the lack of patches, organizations must rely on compensating controls to mitigate the threat. The absence of known exploits reduces immediate risk but does not eliminate the potential for future attacks, especially as threat actors often target industrial control systems in Europe due to their critical role in the economy and infrastructure.
Mitigation Recommendations
To mitigate this vulnerability, European organizations should implement the following specific measures: 1) Network Segmentation: Isolate MELSEC iQ-F Series PLCs from general IT networks and restrict access to trusted management stations only, using firewalls and VLANs. 2) Access Control: Enforce strict access control policies, including limiting remote access to PLCs via VPNs with multi-factor authentication and IP whitelisting. 3) Monitoring and Alerting: Deploy intrusion detection systems (IDS) and continuous monitoring to detect repeated failed login attempts indicative of lockout attacks. 4) Incident Response Planning: Prepare procedures to quickly reset devices or restore access in case of lockout, minimizing downtime. 5) Vendor Engagement: Maintain communication with Mitsubishi Electric for updates or patches and apply them promptly once available. 6) Physical Security: Ensure physical access to PLCs is restricted to prevent manual resets or tampering. 7) User Training: Educate operators on recognizing lockout symptoms and reporting incidents promptly. These targeted actions go beyond generic advice by focusing on network architecture, access restrictions, and operational readiness tailored to the industrial control environment.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Mitsubishi
- Date Reserved
- 2025-05-27T03:34:31.761Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 68705b4fa83201eaacaad88d
Added to database: 7/11/2025, 12:31:11 AM
Last enriched: 7/11/2025, 12:46:34 AM
Last updated: 7/11/2025, 12:46:34 AM
Views: 2
Related Threats
CVE-2025-7435: Cross Site Scripting in LiveHelperChat lhc-php-resque Extension
MediumCVE-2025-53864: CWE-674 Uncontrolled Recursion in Connect2id Nimbus JOSE+JWT
MediumCVE-2025-7434: Stack-based Buffer Overflow in Tenda FH451
HighCVE-2025-7423: Stack-based Buffer Overflow in Tenda O3V2
HighCVE-2025-7422: Stack-based Buffer Overflow in Tenda O3V2
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.