CISA has published an ICS advisory detailing four vulnerabilities in Mitsubishi Electric’s MELSOFT Update Manager SW1DND-UDM-M, a software product used in critical manufacturing environments worldwide. All versions from 1.000A through 1.014Q are affected, and the vendor has confirmed the issues are known to exist in deployed installations.

Vulnerability Overview

The four CVEs all stem from flaws in the 7-Zip archive component bundled with MELSOFT Update Manager. An attacker who convinces a legitimate user to decompress a specially crafted archive file could trigger one or more of the following conditions:

  • CVE-2025-53816: Heap-based buffer overflow, capable of causing a denial-of-service condition. CVSS v3.1 score: 5.0 (Medium).
  • CVE-2025-53817: NULL pointer dereference, also leading to a denial-of-service condition.
  • CVE-2025-55188: Improper link resolution before file access (link following), which could allow tampering with or destruction of information.
  • CVE-2025-11001: Path traversal (improper limitation of a pathname to a restricted directory), potentially enabling arbitrary code execution.

The overall advisory carries a CVSS v3 vendor score of 8.8 (High). All four vulnerabilities require local access and user interaction, meaning an attacker must either already have a foothold on the host or rely on social engineering to deliver the malicious archive.

Affected Product

MELSOFT Update Manager SW1DND-UDM-M, versions 1.000A through 1.014Q inclusive, are confirmed affected. The product is deployed globally and falls under the critical manufacturing sector.

Remediation and Mitigations

Mitsubishi Electric has released version 1.015R as the patched build. Operators should download the update from the vendor’s software download portal and consult security advisory 2026-004 for full details.

For environments where immediate patching is not feasible, Mitsubishi Electric and CISA recommend a layered set of interim controls:

  • Restrict the affected PC to a trusted LAN and block remote logins from untrusted hosts.
  • Use firewalls or VPNs to limit network exposure when internet access is required.
  • Enforce physical access controls on the host and its connected network segment.
  • Train users to avoid opening email attachments or clicking links from untrusted sources.
  • Deploy antivirus software on the affected host.

Given that exploitation requires interaction with a crafted archive file, limiting user exposure to untrusted files is the most direct short-term control while patching is scheduled.