cbcvebase.
CVE-2025-15080
published 2026-02-05

CVE-2025-15080: Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an…

PriorityP260high8.8CVSS 4.0
AVNACLATNPRNUINVCLVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.54%
41.3th percentile
Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product.

Affected

4 ranges
VendorProductVersion rangeFixed in
mitsubishi_electric_corporationmelsec_iq-r_series_r08pcpu
mitsubishi_electric_corporationmelsec_iq-r_series_r120pcpu
mitsubishi_electric_corporationmelsec_iq-r_series_r16pcpu
mitsubishi_electric_corporationmelsec_iq-r_series_r32pcpu

Detection & IOCsextracted from sources · hover to see the quote

  • Detect exploitation attempts by monitoring for specially crafted packets containing a specific command sent over Mitsubishi Electric proprietary protocol communication or SLMP communication targeting MELSEC iQ-R Series R08/16/32/120PCPU devices
  • Monitor network traffic for unauthenticated access attempts to MELSEC iQ-R Series PCPUs; exploitation requires no authentication, no user interaction, and is network-accessible (CVSS AV:N/AC:L/PR:N/UI:N)
  • Alert on any device data read/write or control program read activity from external/untrusted network sources targeting MELSEC iQ-R Series PCPUs running firmware version 48 or below
  • ·Vulnerability affects Mitsubishi Electric proprietary protocol communication AND SLMP communication; both protocol channels must be monitored/filtered
  • ·Only firmware versions 48 and below are vulnerable; firmware version 49 or later is the fixed version — verify firmware version on all R08PCPU, R16PCPU, R32PCPU, and R120PCPU devices
  • ·No public exploitation has been reported as of advisory publication; however, the attack vector is network-accessible with no authentication required, making internet-exposed devices at high risk
  • ·IP filter function is available on affected devices as a mitigation control; refer to 'IP Filter' in section 1.13, Security, of the MELSEC iQ-R Ethernet User's Manual (Application) for configuration guidance
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.