HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High ThreatIntel

Critical 8.8 CVSS Flaws in Mitsubishi MELSOFT Update Manager Enable Local Code Execution and Data Tampering

CISA warns that four CVEs in Mitsubishi Electric’s MELSOFT Update Manager (versions 1.000A‑1.014Q) permit a local attacker to execute arbitrary code, corrupt files, or cause denial‑of‑service. For SOC 2‑compliant organizations, the issue underscores the need for documented patch‑management and continuous evidence of remediation.

LiveThreat™ Intelligence · 📅 June 30, 2026· 📰 cisa.gov
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
cisa.gov

Critical 8.8 CVSS Flaws in Mitsubishi MELSOFT Update Manager Enable Local Code Execution and Data Tampering

What It Is – CISA has issued an advisory (ICS‑A‑26‑181‑01) identifying four high‑severity vulnerabilities (CVE‑2025‑53816, CVE‑2025‑53817, CVE‑2025‑55188, CVE‑2025‑11001) in Mitsubishi Electric’s MELSOFT Update Manager SW1DND‑UDM‑M. The flaws include a heap‑based buffer overflow, NULL‑pointer dereference, improper link resolution, and path‑traversal in the bundled 7‑Zip component.

Exploitability – The vulnerabilities are exploitable by a local attacker who can convince a legitimate user to open a crafted archive. Successful exploitation can lead to arbitrary code execution, data tampering, or denial‑of‑service. CVSS v3 base score: 8.8 (High). No public exploit code is known, but the attack surface is trivial for insiders or compromised workstations.

Affected Products – Mitsubishi Electric MELSOFT Update Manager SW1DND‑UDM‑M versions ≥ 1.000A ≤ 1.014Q (used in critical manufacturing and other industrial control environments worldwide).

Why It Matters for Compliance & Audit Readiness

  • Control Mapping: SOC 2 Change Management (CC6.1) and System Operations (CC7.1) require documented patch‑management processes; unpatched binaries break those controls.
  • Continuous Evidence: Demonstrating timely remediation provides audit‑ready evidence for the “Vulnerability Management” sub‑control of the Security Trust Services Criteria.
  • Risk of Data Integrity Loss: Local code execution can compromise the integrity of production data, directly impacting the “Integrity” principle of SOC 2.

Recommended Actions

  • Inventory all MELSOFT Update Manager instances and verify version numbers.
  • Apply Mitsubishi’s security patches or upgrade to a version > 1.014Q immediately.
  • Integrate the product into your automated vulnerability‑scanning pipeline and record remediation dates in your compliance evidence repository.
  • Review and tighten local access controls (least‑privilege, MFA) for workstations that can invoke the updater.

Source: CISA Advisory – ICSA‑26‑181‑01

📰 Original Source
https://www.cisa.gov/news-events/ics-advisories/icsa-26-181-01

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →