Executive Summary

The Mitsubishi Electric smartRTU vulnerability, identified as CVE-2025-3128, is a critical OS Command Injection flaw. This vulnerability allows an unauthenticated remote attacker to execute arbitrary operating system commands, potentially causing data disclosure, tampering, or destruction, and could lead to a denial-of-service condition. With a CVSS v3.1 score of 9.8 and a CVSS v4 score of 9.3, this vulnerability poses a significant threat to affected systems. Mitsubishi Electric smartRTU systems running versions 3.37 and prior are susceptible to this attack.

Technical Information

Vulnerability Type: The flaw is classified under CWE-78, which relates to the improper neutralization of special elements used in an OS command. This type of vulnerability arises when user inputs are not correctly sanitized, allowing attackers to inject and execute malicious commands.

Affected Versions: The vulnerability affects Mitsubishi Electric smartRTU versions 3.37 and prior. These versions fail to properly validate input on certain API routes, which can be exploited by bypassing authentication mechanisms. Once this is achieved, an attacker can execute arbitrary commands with potentially elevated privileges.

Exploitation Mechanism: Exploitation of this vulnerability involves targeting specific API routes that fail to properly verify user credentials. By sending crafted requests, attackers can bypass authentication and execute commands on the underlying OS. This could result in the leakage of sensitive information, unauthorized data modification, or service disruption.

Risk Evaluation: This vulnerability is critical due to the potential damage it can cause. Successful exploitation can lead to unauthorized access to sensitive data, its alteration, or destruction, and can disrupt services, all of which can have severe operational and reputational impacts on organizations relying on the affected systems.

Exploitation in the Wild

Currently, there are no known public exploitations specifically targeting CVE-2025-3128. However, the critical nature of this vulnerability necessitates proactive measures to protect systems from potential threats.

APT Groups using this vulnerability

As of this report, no specific Advanced Persistent Threat (APT) groups have been identified as exploiting this vulnerability. Continuous monitoring and intelligence gathering are recommended to detect and mitigate any emerging threats.

Affected Product Versions

The vulnerability affects Mitsubishi Electric smartRTU devices running versions 3.37 and prior. It is imperative for organizations using these versions to review their security posture and apply necessary mitigations.

Workaround and Mitigation

Mitsubishi Electric Europe B.V. advises implementing the following measures: deploying firewalls or VPNs to restrict unauthorized access, allowing web client access only from trusted networks, and using Web Application Firewalls (WAFs) to filter malicious HTTP/HTTPS traffic. Additionally, CISA recommends conducting comprehensive impact analyses and risk assessments before deploying any defensive measures and following proactive defense strategies outlined on CISA’s ICS webpage (https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-09).

References

For further technical details and mitigation strategies, please refer to the following resources: CISA Advisory on Mitsubishi Electric smartRTU, VulDB Entry on Mitsubishi Electric smartRTU, and the Mitsubishi Electric Public Security Bulletin.

Rescana is here for you

Rescana’s Third Party Risk Management (TPRM) platform is designed to help organizations identify and mitigate risks associated with third-party vendors and systems. By utilizing our platform, companies can enhance their cybersecurity posture and protect against vulnerabilities like CVE-2025-3128. We are committed to assisting you in navigating these complex challenges. For any questions regarding this report or other cybersecurity concerns, please contact us at ops@rescana.com.