ICS Advisory

Mitsubishi Electric Europe B.V. smartRTU

Release Date
Alert Code
ICSA-25-105-09
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 9.3
  • ATTENTION: Exploitable remotely/low attack complexity
  • Vendor: Mitsubishi Electric Europe B.V.
  • Equipment: smartRTU
  • Vulnerability: Missing Authentication for Critical Function, OS Command Injection

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow a remote unauthenticated attacker to disclose, tamper with, destroy or delete information in the product, or cause a denial-of service condition on the product.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric Europe reports following versions of smartRTU are affected:

  • smartRTU: Versions 3.37 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 Missing Authentication for Critical Function CWE-306

A remote unauthenticated attacker may be able to bypass authentication by utilizing a specific API route to execute arbitrary OS commands.

CVE-2025-3232 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).

A CVSS v4 score has also been calculated for CVE-2025-3232. A base score of 8.7 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H).

3.2.1 Improper Neutralization of Special Elements used in an OS Command CWE-78

A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.

CVE-2025-3128 has been assigned to this vulnerability. A CVSS v3.1 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-3128. A base score of 9.3 has been calculated; the CVSS vector string is (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Japan

3.4 RESEARCHER

Noam Moshe of Claroty Team82 reported this vulnerability to CISA.

4. MITIGATIONS

Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:

  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.
  • Use within a LAN and block access from untrusted networks and hosts through firewalls.
  • Use web application firewall (WAF) to prevent to filter, monitor and block any malicious HTTP/HTTPS traffic.
  • Allow web client access from trusted networks only.

For more information, please see Mitsubishi Electric Europe MEU_PSIRT_2025-3128 under the "Vulnerability Information" section.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • April 15, 2025: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • Mitsubishi Electric

Tags

Sector: Critical Manufacturing Sector
Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.

Related Advisories