Denial‑of‑Service Vulnerability in Mitsubishi Electric CNC Series (CVE‑2025‑2399) Threatens Manufacturing Operations
What It Is – A medium‑severity (CVSS 5.9) input‑validation flaw (CWE‑1285) in multiple Mitsubishi Electric CNC controllers allows an unauthenticated remote attacker to trigger an out‑of‑bounds read, causing a denial‑of‑service (DoS).
Exploitability – No public exploit or active exploitation reported; the vulnerability is disclosed in a CISA advisory and can be weaponised with crafted network packets.
Affected Products – Mitsubishi Electric CNC Series, including:
- M800VW, M800VS, M80V, M80VW (≤ BB)
- M800W, M800S, M80, M80W, E80, C80 (≤ FM)
- M750VW, M730VW, M720VW, M750VS, M730VS, M720VS, M70V, E70, NC Trainer2, NC Trainer2 plus (all versions)
TPRM Impact – CNC controllers are core to critical manufacturing lines; a DoS can halt production, ripple through supply chains, and force downstream customers to miss delivery commitments.
Recommended Actions –
- Verify firmware version on all Mitsubishi CNC assets.
- Apply Mitsubishi‑issued patches or upgrade to the latest firmware as soon as available.
- Segment CNC networks from corporate IT and enforce strict firewall rules.
- Deploy intrusion‑detection signatures that flag malformed CNC protocol traffic.
- Include the CNC controllers in your third‑party risk inventory and monitor vendor advisories.
Source: CISA Advisory – ICSA‑26‑078‑05