CVE-2025-15080
published 2026-02-05CVE-2025-15080: Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an…
PriorityP260high8.8CVSS 4.0
AVNACLATNPRNUINVCLVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.54%
41.3th percentile
Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitsubishi_electric_corporation | melsec_iq-r_series_r08pcpu | — | — |
| mitsubishi_electric_corporation | melsec_iq-r_series_r120pcpu | — | — |
| mitsubishi_electric_corporation | melsec_iq-r_series_r16pcpu | — | — |
| mitsubishi_electric_corporation | melsec_iq-r_series_r32pcpu | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect exploitation attempts by monitoring for specially crafted packets containing a specific command sent over Mitsubishi Electric proprietary protocol communication or SLMP communication targeting MELSEC iQ-R Series R08/16/32/120PCPU devices ↗
- →Monitor network traffic for unauthenticated access attempts to MELSEC iQ-R Series PCPUs; exploitation requires no authentication, no user interaction, and is network-accessible (CVSS AV:N/AC:L/PR:N/UI:N) ↗
- →Alert on any device data read/write or control program read activity from external/untrusted network sources targeting MELSEC iQ-R Series PCPUs running firmware version 48 or below ↗
- ·Vulnerability affects Mitsubishi Electric proprietary protocol communication AND SLMP communication; both protocol channels must be monitored/filtered ↗
- ·Only firmware versions 48 and below are vulnerable; firmware version 49 or later is the fixed version — verify firmware version on all R08PCPU, R16PCPU, R32PCPU, and R120PCPU devices ↗
- ·No public exploitation has been reported as of advisory publication; however, the attack vector is network-accessible with no authentication required, making internet-exposed devices at high risk ↗
- ·IP filter function is available on affected devices as a mitigation control; refer to 'IP Filter' in section 1.13, Security, of the MELSEC iQ-R Ethernet User's Manual (Application) for configuration guidance ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Mitsubishi Electric MELSEC iQ-R Series
cisa_ics·2026-02-05·CVSS 8.8
[HIGH] Mitsubishi Electric MELSEC iQ-R Series
ICS Advisory
##
Mitsubishi Electric MELSEC iQ-R Series
Release DateFebruary 05, 2026
Alert CodeICSA-26-036-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability may allow an attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial-of-service condition on the affected product.
The following versions of Mitsubishi Electric MELSEC iQ-R Series are affected:
- MELSEC iQ-R Series R08/16/32/120PCPU firmware <=48 (CVE-2025-15080)
CVSS
Vendor
Equipment
Vulnerabilities
| v3 9.4
| Mitsubishi Electric
| Mitsubishi Electric MELSEC iQ-R Series
| Improper Validation of Specified Qua
GHSA
GHSA-3pq4-wgqv-gq3h: Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU all
ghsa_unreviewed·2026-02-05
CVE-2025-15080 [HIGH] CWE-1284 GHSA-3pq4-wgqv-gq3h: Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU all
Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-02-05
Published