Skip to main content
CVE Vulnerability Database

CVE-2025-7731: MELSEC iQ-F Cleartext Info Vulnerability

CVE-2025-7731 is an information disclosure flaw in Mitsubishi Electric MELSEC iQ-F CPU modules allowing attackers to intercept credentials via SLMP messages and manipulate device operations. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated:

CVE-2025-7731 Overview

CVE-2025-7731 is a cleartext transmission vulnerability [CWE-319] affecting Mitsubishi Electric MELSEC iQ-F Series CPU modules. The flaw exists in how the product handles SLMP (SLMP — Seamless Message Protocol) communications. A remote unauthenticated attacker who can intercept SLMP traffic can recover credential information transmitted in cleartext. Once captured, the credentials allow the attacker to read or write device values and stop running programs on the affected CPU module.

Critical Impact

Network-positioned attackers can passively capture SLMP credentials and use them to manipulate industrial control logic, halt program execution, and disrupt operational technology (OT) processes.

Affected Products

  • Mitsubishi Electric MELSEC iQ-F Series CPU modules (see Mitsubishi Electric PSIRT Vulnerability Notice 2025-012 for the precise model and firmware list)
  • Systems exposing SLMP communication to untrusted network segments
  • Engineering and HMI workstations communicating with affected CPU modules over SLMP

Discovery Timeline

  • 2025-09-01 - CVE-2025-7731 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-7731

Vulnerability Analysis

The MELSEC iQ-F Series CPU module exposes SLMP, a protocol used to read and write device values between programmable logic controllers (PLCs), human-machine interfaces (HMIs), and engineering tools. SLMP messages on affected modules carry authentication credentials without encryption. Any attacker with access to the OT network segment can record traffic with a packet capture tool and extract the credentials from the message payload.

The weakness is classified under [CWE-319] Cleartext Transmission of Sensitive Information. Confidentiality of the credential material is fully compromised once traffic is observed. The captured credentials then act as a valid authenticator for subsequent SLMP commands, enabling control of the PLC.

Root Cause

The product transmits authentication data over SLMP without applying transport-layer encryption or message-level confidentiality protections. There is no cryptographic binding that prevents reuse of credentials by an observer. The protocol implementation trusts that the underlying network is private, which is rarely a safe assumption in modern converged IT/OT environments.

Attack Vector

Exploitation requires the attacker to be positioned on a network path carrying SLMP traffic between an engineering tool, HMI, or SCADA host and the CPU module. Techniques include ARP spoofing on flat Layer 2 networks, port mirroring abuse, compromised jump hosts, or rogue devices on shared OT VLANs. After capturing one authenticated SLMP exchange, the attacker replays the harvested credentials in attacker-crafted SLMP requests to read process variables, write setpoints, or issue program stop commands.

No verified public proof-of-concept code is available. Refer to the CISA ICS Advisory ICSA-25-240-02 and the JVN Security Advisory for protocol-level details.

Detection Methods for CVE-2025-7731

Indicators of Compromise

  • SLMP traffic (typically TCP/UDP port 5007 or vendor-configured ports) originating from hosts that are not authorized engineering workstations or HMIs.
  • Unexpected SLMP write commands or program control requests (for example, Remote STOP) outside of scheduled maintenance windows.
  • ARP table anomalies on OT switches indicating possible man-in-the-middle positioning between HMIs and PLCs.

Detection Strategies

  • Deploy an ICS-aware network intrusion detection sensor that can parse SLMP and alert on authentication frames, write requests, and Remote STOP commands.
  • Baseline legitimate SLMP source/destination pairs and alert on any new talker addressing the CPU module.
  • Correlate PLC program state changes with operator activity in the engineering workstation logs to surface unauthorized control actions.

Monitoring Recommendations

  • Forward switch flow records and span-port captures from OT segments to a central analytics platform for long-term review.
  • Monitor for repeated failed or anomalous SLMP authentications, which may indicate credential replay attempts.
  • Track CPU module operational state transitions (RUN/STOP) and alert on transitions not initiated through approved change procedures.

How to Mitigate CVE-2025-7731

Immediate Actions Required

  • Restrict SLMP access to a dedicated management VLAN and block the protocol at the perimeter and across IT/OT boundaries.
  • Place affected MELSEC iQ-F CPU modules behind an industrial firewall or data diode and permit SLMP only from named engineering hosts.
  • Rotate any credentials that may have traversed untrusted segments and review PLC project files for unauthorized modifications.

Patch Information

Consult the Mitsubishi Electric PSIRT Vulnerability Notice 2025-012 for the authoritative list of fixed firmware versions and the corresponding upgrade procedure. Additional vendor and coordinator guidance is published in the CISA ICS Advisory ICSA-25-240-02 and the JVN Security Advisory. Schedule firmware updates during planned maintenance windows because CPU module updates require a process stop.

Workarounds

  • Use IPsec or a dedicated VPN tunnel to encrypt SLMP traffic between engineering tools and the CPU module when firmware updates are not yet possible.
  • Enforce strict Layer 2 controls such as port security, DHCP snooping, and dynamic ARP inspection to limit man-in-the-middle staging.
  • Physically segregate the OT network and prohibit dual-homed workstations that bridge corporate and control networks.
  • Disable SLMP on CPU modules where it is not operationally required.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.