CVE-2025-2399CVSS 5.9MEDIUM
The severity is rated MEDIUM due to the specific requirements for exploitation, such as sending specially crafted packets over TCP port 683. However, given the critical nature of these CNC machines in manufacturing processes, the real-world exploitability remains a concern both in homelab and production environments. Patches are available but not fully mature across all affected versions; hence, implementing immediate mitigation strategies is crucial.

A critical security vulnerability has been identified in several models of the Mitsubishi Electric CNC Series, allowing a remote attacker to cause an out-of-bounds read leading to a denial-of-service (DoS) condition. The vulnerability arises from improper validation of specified index positions or offsets in input data sent over TCP port 683. This flaw affects multiple versions including M800VW, M800VS, and various other series with specific firmware versions. The impact is significant for industrial control systems (ICS) as these devices are integral to critical manufacturing infrastructure worldwide. Engineers and system administrators must urgently assess their environments to determine if they are running any of the affected models and apply necessary mitigations or patches to prevent potential disruptions.

Affected Systems
  • Mitsubishi Electric M800VW (BND-2051W000) <=BB
  • Mitsubishi Electric M800VS (BND-2052W000) <=BB
  • Mitsubishi Electric M80V (BND-2053W000) <=BB
  • Mitsubishi Electric M80VW (BND-2054W000) <=BB
  • Mitsubishi Electric M800W (BND-2005W000) <=FM
  • Mitsubishi Electric M800S (BND-2006W000) <=FM
  • Mitsubishi Electric M80 (BND-2007W000) <=FM
  • Mitsubishi Electric M80W (BND-2008W000) <=FM
Affected Versions: All versions before BC for M800VW, M800VS, M80V, and M80VW; all versions before FN for M800W, M800S, M80, M80W, E80
Remediation
  • Apply the fixed version BC or later for models BND-2051W000, BND-2052W000, BND-2053W000, and BND-2054W000. Consult your Mitsubishi Electric representative for detailed instructions.
  • Apply the fixed version FN or later for models BND-2005W000, BND-2006W000, BND-2007W000, BND-2008W000, and BND-2009W000. Consult your Mitsubishi Electric representative for detailed instructions.
  • If immediate update is not possible, use a firewall to block unauthorized access to TCP port 683 from the internet or untrusted networks.
  • Install anti-virus software on all PCs that can potentially connect to these CNC systems.
Stack Impact

The impact on industrial homelab stacks could be significant if these CNC machines are part of a larger manufacturing simulation setup. The specific models and versions listed must have their firmware checked against the affected list for necessary updates or mitigations.

Source →