The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • AI Data Pipelines
      Security Data Pipeline for AI SIEM and Data Optimization
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-7731

CVE-2025-7731: MELSEC iQ-F Information Disclosure Flaw

CVE-2025-7731 is an information disclosure vulnerability in Mitsubishi Electric MELSEC iQ-F Series CPU modules, allowing attackers to intercept credentials via SLMP messages and manipulate device operations.

Updated: May 11, 2026

CVE-2025-7731 Overview

CVE-2025-7731 is a cleartext transmission of sensitive information vulnerability [CWE-319] affecting Mitsubishi Electric MELSEC iQ-F Series CPU modules. The flaw resides in the handling of SLMP (SeamLess Message Protocol) communication, where authentication credentials traverse the network without encryption. A remote, unauthenticated attacker positioned to intercept SLMP traffic can capture these credentials. With the stolen credentials, the attacker can read or write device values on the programmable logic controller (PLC) and halt program execution. The vulnerability impacts industrial control system (ICS) environments where MELSEC iQ-F controllers govern automation processes.

Critical Impact

Network-based interception of SLMP traffic exposes PLC credentials, enabling unauthorized read/write operations and program shutdown on industrial control devices.

Affected Products

  • Mitsubishi Electric MELSEC iQ-F Series CPU modules (per vendor advisory 2025-012)
  • Devices using SLMP communication for engineering or HMI access
  • Industrial control deployments exposing SLMP traffic to untrusted networks

Discovery Timeline

  • 2025-09-01 - CVE-2025-7731 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7731

Vulnerability Analysis

The MELSEC iQ-F CPU module exchanges authentication data over SLMP without applying transport-layer encryption. SLMP is an open, application-layer protocol used to interact with Mitsubishi PLCs for device monitoring, programming, and diagnostics. Because credential material is encoded in cleartext within SLMP request frames, any adversary with passive access to the network segment can extract it using standard packet capture tools. The attack does not require authentication, user interaction, or elevated privileges, and it can be performed entirely over the network. Once credentials are obtained, the attacker can authenticate to the PLC as a legitimate engineering client and issue device-level commands. These commands include reading data registers, writing arbitrary values, and stopping running ladder logic programs. The integrity of physical processes controlled by the PLC depends on this credential remaining confidential.

Root Cause

The root cause is the absence of encryption on the SLMP authentication exchange. The protocol implementation transmits credential fields in plaintext rather than wrapping the session in TLS or applying challenge-response authentication. This design decision violates the secure transmission principle described in CWE-319: Cleartext Transmission of Sensitive Information.

Attack Vector

An attacker on the same broadcast domain, on a transit path, or in control of a compromised network device can sniff SLMP packets between an engineering workstation and the CPU module. After harvesting credentials, the attacker replays them in a new SLMP session against the target PLC. Successful authentication grants the attacker the same operational privileges as the legitimate engineer, including the ability to write device values or issue a STOP instruction to the running program. Detailed exploitation mechanics are described in the Mitsubishi Electric Vulnerability Report and the CISA ICS Advisory ICSA-25-240-02.

No verified public proof-of-concept code is available for CVE-2025-7731.
Refer to the vendor advisory and CISA bulletin for protocol-level details.

Detection Methods for CVE-2025-7731

Indicators of Compromise

  • Unexpected SLMP sessions originating from hosts that are not approved engineering workstations or HMI servers.
  • PLC operating mode transitions from RUN to STOP outside of scheduled maintenance windows.
  • Device value writes to registers from source IP addresses absent from the asset inventory.
  • Repeated SLMP authentication attempts from a single source within a short interval, suggesting credential replay.

Detection Strategies

  • Deploy ICS-aware network intrusion detection that parses SLMP and alerts on authentication frames containing cleartext credentials.
  • Baseline normal SLMP client-to-PLC pairings and flag any new client establishing sessions with the MELSEC iQ-F.
  • Correlate PLC program-state change events with authenticated SLMP commands to identify unauthorized STOP operations.

Monitoring Recommendations

  • Mirror traffic from OT switches connected to MELSEC iQ-F controllers into a passive monitoring sensor.
  • Log all SLMP command transactions, including source address, command code, and target device range, to a centralized SIEM.
  • Monitor span ports for ARP spoofing or rogue DHCP activity that could indicate an adversary preparing a man-in-the-middle position.

How to Mitigate CVE-2025-7731

Immediate Actions Required

  • Apply the firmware updates and configuration guidance published in Mitsubishi Electric advisory 2025-012.
  • Restrict SLMP access to approved engineering workstations using firewall rules or access control lists at the cell or zone boundary.
  • Rotate any credentials previously used over untrusted networks, since they may already be exposed.
  • Place MELSEC iQ-F controllers on dedicated OT VLANs isolated from corporate and internet-facing networks.

Patch Information

Mitsubishi Electric has published vendor guidance in advisory 2025-012. Review the Mitsubishi Electric Vulnerability Report, the CISA ICS Advisory ICSA-25-240-02, and the JVN Vulnerability Report for the current list of fixed versions and recommended countermeasures.

Workarounds

  • Tunnel SLMP communication through an IPsec or TLS-protected VPN between engineering hosts and the PLC zone.
  • Enable the IP filter function on the CPU module to allow connections only from specific source IP addresses.
  • Disable SLMP on Ethernet ports that do not require remote engineering access.
  • Use a unidirectional gateway or data diode where SLMP data must leave the OT zone for historian or monitoring purposes.
bash
# Example firewall restriction limiting SLMP (TCP/UDP 5007 default) to one engineering host
iptables -A FORWARD -p tcp -s 10.10.20.15 -d 10.20.30.40 --dport 5007 -j ACCEPT
iptables -A FORWARD -p tcp -d 10.20.30.40 --dport 5007 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeInformation Disclosure
  • Vendor/TechMitsubishi
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability0.02%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-319
  • Technical References
  • JVN Vulnerability Report
  • CISA ICS Advisory ICSA-25-240-02
  • Mitsubishi Electric Vulnerability Report
  • Related CVEs
  • CVE-2026-37536: uds-c Buffer Overflow Vulnerability
  • CVE-2025-7405: MELSEC iQ-F Auth Bypass Vulnerability
  • CVE-2025-2399: Mitsubishi CNC Systems DoS Vulnerability
  • CVE-2026-1876: Mitsubishi MELSEC iQ-F FX5-ENET/IP DoS Flaw
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English