CVE-2025-7376 is a vulnerability identified in multiple Mitsubishi Electric Corporation products, including GENESIS64 (all versions), GENESIS version 11.00, and MC Works64 (all versions). The vulnerability stems from improper handling of Windows Shortcut Following (.LNK) files, classified under CWE-64 (Improper Neutralization of XPath Expressions). Specifically, the affected processes allow a local authenticated attacker to exploit symbolic link (symlink) creation to redirect write operations intended for legitimate files to arbitrary target files. By creating a symbolic link from a file used as a write destination by these processes to a target file, an attacker can cause unauthorized writes, effectively overwriting or destroying critical files on the system. This manipulation can lead to denial-of-service (DoS) conditions if the targeted files are essential for the operation of the PC or the affected software. The vulnerability requires local authentication and user interaction, as indicated by the CVSS vector (AV:L/AC:L/PR:L/UI:R), and has a CVSS v3.1 base score of 5.9, categorized as medium severity. The scope is classified as changed (S:C), indicating that the vulnerability affects resources beyond the initially vulnerable component. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability's impact is primarily on integrity, as it allows unauthorized modification of files, but does not directly affect confidentiality or availability, although availability can be indirectly impacted through DoS conditions. The vulnerability affects multiple Mitsubishi Electric industrial automation and control software products widely used in industrial environments for supervisory control and data acquisition (SCADA) and human-machine interface (HMI) applications.

For European organizations, especially those in manufacturing, energy, utilities, and critical infrastructure sectors relying on Mitsubishi Electric's GENESIS64 and related products, this vulnerability poses a significant risk. Successful exploitation could allow an insider or local attacker with authenticated access to disrupt operations by corrupting or destroying critical configuration or operational files, leading to system downtime or degraded performance. This could impact production lines, energy distribution, or other automated processes, potentially causing financial losses and safety hazards. Given the industrial focus of the affected products, the integrity of control systems is paramount, and unauthorized file modifications could undermine trust in system outputs or cause cascading failures. While remote exploitation is not indicated, the requirement for local authentication means that attackers might leverage other attack vectors (e.g., phishing, credential theft) to gain initial access before exploiting this vulnerability. The lack of known exploits in the wild provides a window for mitigation, but the medium severity score suggests that organizations should prioritize patching and mitigation to prevent potential insider threats or lateral movement within networks.

1. Restrict local access: Limit the number of users with local authenticated access to systems running affected Mitsubishi Electric products. Employ strict access controls and least privilege principles. 2. Monitor and audit: Implement monitoring for unusual file system activities, especially creation of symbolic links (.LNK files) and unexpected write operations to critical files used by GENESIS64 and related software. 3. Application hardening: Where possible, configure the affected software to run with minimal privileges and in isolated environments to reduce the impact of unauthorized writes. 4. Patch management: Although no patches are currently linked, maintain close communication with Mitsubishi Electric for updates or hotfixes addressing CVE-2025-7376 and apply them promptly upon release. 5. User training: Educate users about the risks of local credential compromise and the importance of not executing untrusted files or shortcuts. 6. Network segmentation: Isolate industrial control systems from general IT networks to reduce the risk of lateral movement by attackers who gain initial access. 7. Backup and recovery: Maintain reliable backups of critical configuration and operational files to enable rapid restoration in case of file corruption or destruction. 8. Implement endpoint protection solutions capable of detecting and blocking suspicious symbolic link creation or manipulation activities.