Critical 8.8 CVSS Flaws in Mitsubishi MELSOFT Update Manager Enable Local Code Execution and Data Tampering
What It Is – CISA has issued an advisory (ICS‑A‑26‑181‑01) identifying four high‑severity vulnerabilities (CVE‑2025‑53816, CVE‑2025‑53817, CVE‑2025‑55188, CVE‑2025‑11001) in Mitsubishi Electric’s MELSOFT Update Manager SW1DND‑UDM‑M. The flaws include a heap‑based buffer overflow, NULL‑pointer dereference, improper link resolution, and path‑traversal in the bundled 7‑Zip component.
Exploitability – The vulnerabilities are exploitable by a local attacker who can convince a legitimate user to open a crafted archive. Successful exploitation can lead to arbitrary code execution, data tampering, or denial‑of‑service. CVSS v3 base score: 8.8 (High). No public exploit code is known, but the attack surface is trivial for insiders or compromised workstations.
Affected Products – Mitsubishi Electric MELSOFT Update Manager SW1DND‑UDM‑M versions ≥ 1.000A ≤ 1.014Q (used in critical manufacturing and other industrial control environments worldwide).
Why It Matters for Compliance & Audit Readiness
- Control Mapping: SOC 2 Change Management (CC6.1) and System Operations (CC7.1) require documented patch‑management processes; unpatched binaries break those controls.
- Continuous Evidence: Demonstrating timely remediation provides audit‑ready evidence for the “Vulnerability Management” sub‑control of the Security Trust Services Criteria.
- Risk of Data Integrity Loss: Local code execution can compromise the integrity of production data, directly impacting the “Integrity” principle of SOC 2.
Recommended Actions
- Inventory all MELSOFT Update Manager instances and verify version numbers.
- Apply Mitsubishi’s security patches or upgrade to a version > 1.014Q immediately.
- Integrate the product into your automated vulnerability‑scanning pipeline and record remediation dates in your compliance evidence repository.
- Review and tighten local access controls (least‑privilege, MFA) for workstations that can invoke the updater.
Source: CISA Advisory – ICSA‑26‑181‑01