CVE-2025-3128

Summary

A remote unauthenticated attacker who has bypassed authentication could execute arbitrary OS commands to disclose, tamper with, destroy or delete information in Mitsubishi Electric smartRTU, or cause a denial-of service condition on the product.

Affected Software

VendorProductVersion RangeStatus
Mitsubishi Electric EuropesmartRTU0 <= 3.37affected

Weaknesses

  • CWE-78: CWE-78

Workarounds

Mitsubishi Electric Europe B.V. recommends that users take note of the following mitigation measures to minimize the risk of exploiting this vulnerability:

  • Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

  • Use within a LAN and block access from untrusted networks and hosts through firewalls.

  • Use web application firewall (WAF) to prevent to filter, monitor and block any malicious HTTP/HTTPS traffic.

  • Allow web client access from trusted networks only.

For more information, please see Mitsubishi Electric Europe MEU_PSIRT_2025-3128 https://emea.mitsubishielectric.com/fa/products/quality/quality-news-information  under the "Vulnerability Information" section.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References