Changeflow GovPing Data Privacy & Cybersecurity CISA Advisory: Mitsubishi Electric CNC Series V...
Priority review Notice Added Final

CISA Advisory: Mitsubishi Electric CNC Series Vulnerability ICSA-26-078-05

Favicon for www.cisa.gov CISA ICS-CERT Advisories
Published March 19th, 2026
Detected March 19th, 2026
Email

Summary

CISA issued an advisory regarding a denial-of-service vulnerability (CVE-2025-2399) in Mitsubishi Electric CNC Series products. Successful exploitation could allow remote attackers to cause an out-of-bounds read. Affected products are deployed worldwide, with remediation guidance provided by the vendor.

View original document View source feed page

What changed

CISA has released an advisory (ICSA-26-078-05) detailing a critical vulnerability, CVE-2025-2399, affecting multiple versions of Mitsubishi Electric CNC Series products. The vulnerability, an Improper Validation of Specified Index, Position, or Offset in Input, can be exploited remotely by sending crafted packets to TCP port 683, leading to an out-of-bounds read and a denial-of-service condition. This advisory impacts a wide range of Mitsubishi Electric CNC models, including M800VW, M800VS, M80V, M80VW, M800W, M800S, M80, M80W, E80, C80, M750VW, M730VW, M720VW, M750VS, M730VS, M720VS, M70V, E70, NC Trainer2, and NC Trainer2 plus.

Organizations utilizing these Mitsubishi Electric CNC products, particularly within the Critical Manufacturing sector, should review the advisory to identify affected versions and apply the vendor-provided fixes (BC or later for M800/M80 series, FN or later for M800W/M80 series). For products without a fixed version, mitigation strategies should be implemented. Failure to address this vulnerability could result in operational disruptions due to denial-of-service attacks, impacting manufacturing processes.

What to do next

  1. Identify affected Mitsubishi Electric CNC Series product versions.
  2. Apply vendor-provided fixes (BC or later for M800/M80 series, FN or later for M800W/M80 series).
  3. Implement mitigation strategies for products without a fixed version.

Source document (simplified)

ICS Advisory

Mitsubishi Electric CNC Series

Release Date

March 19, 2026

Alert Code ICSA-26-078-05 Related topics: Industrial Control System Vulnerabilities, Industrial Control Systems View CSAF

Summary

Successful exploitation of this vulnerability could allow a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products.

The following versions of Mitsubishi Electric CNC Series are affected:

  • M800VW (BND-2051W000) <=BB
  • M800VS (BND-2052W000) <=BB
  • M80V (BND-2053W000) <=BB
  • M80VW (BND-2054W000) <=BB
  • M800W (BND-2005W000) <=FM
  • M800S (BND-2006W000) <=FM
  • M80 (BND-2007W000) <=FM
  • M80W (BND-2008W000) <=FM
  • E80 (BND-2009W000) <=FM
  • C80 (BND-2036W000) vers:all/*
  • M750VW (BND-1015W002) vers:all/*
  • M730VW (BND-1015W000) vers:all/*
  • M720VW (BND-1015W000) vers:all/*
  • M750VS (BND-1012W002) vers:all/*
  • M730VS (BND-1012W000-*) vers:all/
  • M720VS (BND-1012W000) vers:all/*
  • M70V (BND-1018W000) vers:all/*
  • E70 (BND-1022W000) vers:all/*
  • NC Trainer2 (BND-1802W000) vers:all/*
  • NC Trainer2 plus (BND-1803W000) vers:all/*

| CVSS | Vendor | Equipment | Vulnerabilities |
| --- | --- | --- | --- |
| v3 5.9 | Mitsubishi Electric | Mitsubishi Electric CNC Series | Improper Validation of Specified Index, Position, or Offset in Input |

Background

  • Critical Infrastructure Sectors: Critical Manufacturing
  • Countries/Areas Deployed: Worldwide
  • Company Headquarters Location: Japan

Vulnerabilities

Expand All +

CVE-2025-2399

Improper Validation of Specified Index, Position, or Offset in Input (CWE-1285) vulnerability in the affected products allows a remote attacker to cause an out-of-bounds read, resulting in a denial-of-service condition in the affected products by sending specially crafted packets to TCP port 683.

View CVE Details

Affected Products

Mitsubishi Electric CNC Series

Vendor:
Mitsubishi Electric Product Version:
Mitsubishi Electric M800VW (BND-2051W000): <=BB, Mitsubishi Electric M800VS (BND-2052W000): <=BB, Mitsubishi Electric M80V (BND-2053W000): <=BB, Mitsubishi Electric M80VW (BND-2054W000): <=BB, Mitsubishi Electric M800W (BND-2005W000): <=FM, Mitsubishi Electric M800S (BND-2006W000): <=FM, Mitsubishi Electric M80 (BND-2007W000): <=FM, Mitsubishi Electric M80W (BND-2008W000): <=FM, Mitsubishi Electric E80 (BND-2009W000): <=FM, Mitsubishi Electric C80 (BND-2036W000): vers:all/, Mitsubishi Electric M750VW (BND-1015W002): vers:all/, Mitsubishi Electric M730VW (BND-1015W000): vers:all/, Mitsubishi Electric M720VW (BND-1015W000): vers:all/, Mitsubishi Electric M750VS (BND-1012W002): vers:all/, Mitsubishi Electric M730VS (BND-1012W000): vers:all/, Mitsubishi Electric M720VS (BND-1012W000): vers:all/, Mitsubishi Electric M70V (BND-1018W000): vers:all/, Mitsubishi Electric E70 (BND-1022W000): vers:all/, Mitsubishi Electric NC Trainer2 (BND-1802W000): vers:all/, Mitsubishi Electric NC Trainer2 plus (BND-1803W000): vers:all/* Product Status:
known_affected

Remediations

Vendor fix
Please apply the fixed version (BC or later) for Mitsubishi Electric M800VW(BND-2051W000), M800VS(BND-2052W000), M80V(BND-2053W000), and M80VW(BND-2054W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.

Vendor fix
Please apply the fixed version (FN or later) for Mitsubishi Electric M800W(BND-2005W000), M800S(BND-2006W000), M80(BND-2007W000), M80W(BND-2008W000), and E80(BND-2009W000). For instructions on how to apply it, please consult your Mitsubishi Electric representative.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using a firewall or virtual private network (VPN) to prevent unauthorized access, when internet access is required, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using the product within a LAN and blocking access from untrusted networks and hosts through a firewall, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends using IP filters to prevent unauthorized access, when internet access is required, to minimize the risk of exploiting this vulnerability. IP filter function is available for M800V/M80V Series and M800/M80/E80 Series. For details about the IP filter function, refer to the following manual for each product: M800V/M80V Series Instruction Manual "16. Appendix 3 IP Address Filter Setting Function", M800/M80/E80 Series Instruction Manual "15. Appendix 2 IP Address Filter Setting Function"

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends restricting physical access to the affected product and to all computers and network devices to which the products are connected, to minimize the risk of exploiting this vulnerability.

Mitigation
For customers of products that do not have a fixed version or who cannot immediately update the product, Mitsubishi Electric recommends installing anti-virus software on PCs that can access the affected product, to minimize the risk of exploiting this vulnerability.

Mitigation
For more information, see Mitsubishi Electric 2025-022. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-022_en.pdf
https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-022_en.pdf

Relevant CWE: CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input

Metrics

| CVSS Version | Base Score | Base Severity | Vector String |
| --- | --- | --- | --- |
| 3.1 | 5.9 | MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H |

Acknowledgments

  • Mitsubishi Electric reported this vulnerability to CISA

Legal Notice and Terms of Use

This product is provided subject to this Notification (https://www.cisa.gov/notification) and this Privacy & Use policy (https://www.cisa.gov/privacy-policy).

Recommended Practices

CISA recommends users take defensive measures to minimize the exploitation risk of these vulnerabilities.

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the internet.

Locate control system networks and remote devices behind firewalls and isolate them from business networks.

When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most recent version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

Advisory Conversion Disclaimer

This ICSA is a verbatim republication of CISA V20250121-001#02 from a direct conversion of the vendor's Common Security Advisory Framework (CSAF) advisory. This is republished to CISA's website as a means of increasing visibility and is provided "as-is" for informational purposes only. CISA is not responsible for the editorial or technical accuracy of republished advisories and provides no warranties of any kind regarding any information contained within this advisory. Further, CISA does not endorse any commercial product or service. Please contact CISA directly for any questions regarding this advisory.

Revision History

  • Initial Release Date: 2026-03-10

| Date | Revision | Summary |
| --- | --- | --- |
| 2026-03-10 | 1 | Initial Publication |
| 2026-03-19 | 2 | Initial CISA Republication of CISA V20250121-001#02 advisory |

Legal Notice and Terms of Use

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • Mitsubishi Electric

Tags

Sector: Critical Manufacturing Sector Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related Advisories

Mar 19, 2026

ICS Advisory | ICSA-26-078-08

Automated Logic WebCTRL Premium Server

Mar 19, 2026

ICS Advisory | ICSA-26-078-04

Schneider Electric EcoStruxure PME and EPO

Mar 19, 2026

ICS Advisory | ICSA-26-078-01

Schneider Electric Modicon M241, M251, and M262

Mar 19, 2026

ICS Advisory | ICSA-26-078-02

Schneider Electric Modicon Controllers M241, M251, M258, and LMC058

Related changes

Favicon for www.cisa.gov CISA ICS Advisory: WebCTRL Server Vulnerabilities Allow Communication Interception
Priority review Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA Adds Cisco Vulnerability CVE-2026-20131 to KEV Catalog
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.cisa.gov CISA: IGL-Technologies eParking.fi ICS Advisory
Urgent Mar 19, 2026 CISA ICS-CERT Advisories Data Privacy & Cybersecurity
Favicon for www.regulations.gov DoD Cyber Incident Reporting and Cloud Computing Information Collection
Priority review Mar 20, 2026 Regs.gov: Defense Acquisition Regulations System Defense & National Security
Favicon for www.cisa.gov CISA KEV: Cisco FMC Vulnerability Allows Root Java Code Execution (CVE-2026-20131)
Urgent Mar 20, 2026 CISA Known Exploited Vulnerabilities (KEV) Data Privacy & Cybersecurity
Favicon for www.ukri.org UKRI Funding for Secure Software Projects
Priority review Mar 20, 2026 UKRI Funding Opportunities (All Councils) Trade & Sanctions

Source

Favicon for www.cisa.gov
CISA ICS-CERT Advisories cisa.gov/rss.xml
Data Privacy & Cybersecurity
Analysis generated by AI. Source diff and links are from the original.

Classification

Agency
CISA
Published
March 19th, 2026
Instrument
Notice
Legal weight
Non-binding
Stage
Final
Change scope
Substantive
Document ID
ICSA-26-078-05

Who this affects

Applies to
Manufacturers
Industry sector
3254 Pharmaceutical Manufacturing
Activity scope
Industrial Control Systems
Geographic scope
United States US

Taxonomy

Primary area
Cybersecurity
Operational domain
IT Security
Topics
Industrial Control Systems Vulnerability Management

Browse Categories

Agriculture & Food Safety 61 Banking & Finance 212 Consumer Protection 38 Courts & Legal 271 Data Privacy & Cybersecurity 60 Defense & National Security 48 Education 20 Energy 102 Environment 83 Government & Legislation 255 Healthcare 115 Housing 15 Immigration 9 Insurance 58 Labor & Employment 110 Pharma & Drug Safety 78 Securities & Markets 74 Tax 53 Telecom & Technology 34 Trade & Sanctions 122 Transportation 56

Get Data Privacy & Cybersecurity alerts

Weekly digest. AI-summarized, no noise.

Free. Unsubscribe anytime.

Get alerts for this source

We'll email you when CISA ICS-CERT Advisories publishes new changes.

Free. Unsubscribe anytime.