Mitsubishi Electric smartRTU Missing Authentication Vulnerability Allowing OS Command Injection

A vulnerability exists in Mitsubishi Electric smartRTU versions through 3.37, allowing remote unauthenticated attackers to bypass authentication and execute arbitrary operating system commands. This could lead to unauthorized disclosure, modification, destruction, or deletion of information within the product, or cause a denial-of-service condition.

Impact

Exploitation of this vulnerability could allow a remote unauthenticated attacker to execute arbitrary OS commands, potentially leading to unauthorized information disclosure, modification, destruction, or deletion, or causing a denial-of-service condition on the product.

Remediation

Mitsubishi Electric Europe B.V. recommends users take defensive measures to minimize the risk of exploitation. This includes using a firewall or VPN to prevent unauthorized access, blocking access from untrusted networks and hosts, using a web application firewall to filter and monitor malicious HTTP/HTTPS traffic, and allowing web client access from trusted networks only. For more information, consult the Mitsubishi Electric Europe PSIRT vulnerability report MEU_PSIRT_2025-3128.