Mitsubishi Electric Corporation has disclosed a high-severity vulnerability affecting the MELSEC iQ-F Series FX5-EIP EtherNet/IP Module, tracked as CVE-2026-1875, with a CVSS v4.0 score of 8.7. Classified under CWE-404 (Improper Resource Shutdown or Release), the flaw enables an unauthenticated remote attacker to trigger a denial-of-service condition by continuously transmitting UDP packets to the module. All firmware versions of the FX5-EIP are affected, and no vendor patch has been issued. The vulnerability was disclosed on March 3, 2026, through Mitsubishi Electric PSIRT advisory 2025-021, and is co-tracked under JVNVU93286687 and CISA ICS Advisory ICSA-26-62-01.
The FX5-EIP module fails to properly release internal resources when subjected to sustained UDP traffic, leading to resource exhaustion and a non-operational state. The CVSS v4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N) characterizes the vulnerability as network-reachable with no complexity, no authentication, and no user interaction required, resulting in complete loss of availability on the affected component. Recovery cannot occur automatically -- a full manual system reset is required, directly extending the operational impact of any successful attack.
No public exploit code has been documented for CVE-2026-1875, and no active exploitation in the wild has been confirmed. However, the attack mechanism is operationally simple: an attacker need only sustain a UDP packet stream toward the device, requiring no specialized tooling or credentials. With no patch available, organizations operating FX5-EIP modules must rely entirely on compensating network controls and must treat this vulnerability with the same urgency as a remotely exploitable critical flaw.
CVE-2026-1875, with a CVSS v4.0 score of 8.7, affects the Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module across all deployed firmware versions. The root cause lies in inadequate resource management when the module processes a sustained stream of inbound UDP packets: internal resources are consumed without proper cleanup mechanisms, progressively exhausting the module's capacity to function until it enters a denial-of-service state. An unauthenticated attacker with network-layer reachability to the device can trigger this condition by continuously sending UDP packets -- no prior access, credentials, or user interaction are required. Once the module enters the denial-of-service state, it cannot recover on its own; operations personnel must perform a manual system reset, which may require physical site access and introduces extended recovery windows in complex or remote environments. Because all versions are affected and no remediation is available from the vendor, every deployed FX5-EIP module currently represents an unpatched, high-severity exposure that can only be addressed through network-level compensating controls.
Organizations deploying the Mitsubishi Electric MELSEC iQ-F Series FX5-EIP EtherNet/IP Module in manufacturing, industrial automation, or critical infrastructure environments face an immediate and unmitigated operational risk. A successful exploitation of CVE-2026-1875 would take the affected module offline without warning, severing EtherNet/IP communications to any PLCs, remote I/O, or field devices dependent on the module -- halting production lines, disrupting automated processes, and potentially creating unsafe operating conditions. Because recovery requires a manual system reset, the duration of any outage is bounded not by the vulnerability itself but by the speed of human response, site accessibility, and the complexity of the recovery procedure. In high-availability or safety-critical environments, even a brief unplanned outage can carry financial, contractual, and safety consequences that far exceed the cost of the incident itself.
From a regulatory and compliance perspective, organizations governed by frameworks such as NERC CIP, IEC 62443, or sector-specific OT security requirements face increased scrutiny when high-severity vulnerabilities remain unmitigated without documented compensating controls. The absence of a vendor patch shifts the full burden of risk management to the asset owner, and auditors will expect to see evidence of proactive action -- network segmentation records, firewall rule changes, monitoring configurations, and incident response documentation. Failure to demonstrate such measures could result in audit findings, regulatory sanctions, or elevated liability exposure in the event that exploitation leads to a reportable incident or safety event.
To mitigate the risks associated with CVE-2026-1875, organizations should consider the following actions:
1. Implement strict network segmentation to isolate all MELSEC iQ-F Series FX5-EIP modules on dedicated OT network segments, ensuring no untrusted host -- including general IT systems -- can reach the device's network interface directly.
2. Deploy firewall rules or access control lists that restrict inbound UDP traffic to each FX5-EIP module exclusively to approved source IP addresses, such as authorized engineering workstations and SCADA servers, blocking all other UDP originating from unapproved sources.
3. Enable continuous network monitoring on OT segments hosting FX5-EIP modules, configured to alert on sustained high-rate UDP traffic toward the module's IP address so that potential exploitation attempts are detected and responded to before a denial-of-service condition fully develops.
4. Develop, document, and rehearse an incident response procedure specific to this vulnerability, including a defined system reset and recovery workflow with assigned personnel, so that if exploitation occurs the affected module is returned to service in the shortest possible time.
5. Where operationally feasible, deploy redundant failover systems or manual override capabilities for processes dependent on the FX5-EIP module, reducing the production impact of any denial-of-service event.
6. Subscribe to Mitsubishi Electric PSIRT advisories and CISA ICS alerts for CVE-2026-1875 so that a firmware remediation -- when released -- can be assessed, tested, and deployed without delay.
By taking these steps, organizations can substantially limit their attack surface, improve early warning capability, and reduce the operational impact of any exploitation attempt while vendor remediation remains unavailable.
1898 & Co. is actively monitoring CVE-2026-1875 and working directly with clients operating Mitsubishi Electric MELSEC iQ-F Series equipment to assess their exposure and implement effective compensating controls. Our operational technology and industrial control system security specialists conduct targeted vulnerability assessments that identify all affected FX5-EIP modules across a client's environment, evaluate existing network segmentation, and recommend tailored firewall and monitoring configurations calibrated to each site's operational constraints. Where vendor remediation is unavailable, as is currently the case, 1898 & Co. focuses on hardening the surrounding network environment and ensuring clients maintain the detection and response capability needed to act before a denial-of-service condition produces extended downtime.
1898 & Co. maintains close collaboration with CISA, industry sector partners, and ICS-focused security research communities to stay current on vulnerabilities affecting industrial control systems. This intelligence posture enables our team to deliver timely, actionable guidance as new information becomes available -- including coordinated client notification when Mitsubishi Electric releases firmware remediation and rapid advisory updates if active exploitation of CVE-2026-1875 is confirmed in the wild.
Our team brings deep expertise in securing operational technology environments against network-based threats, with a particular track record in ICS protocol security, OT network architecture, and denial-of-service resilience for industrial systems. Clients operating exposed FX5-EIP modules can engage 1898 & Co. for an immediate compensating control assessment to reduce their risk posture while the vendor develops and releases a patch.
Mitsubishi Electric: High-Severity Denial-of-Service Vulnerability in MELSEC iQ-F Series FX5-EIP EtherNet/IP Module
1. Mitsubishi Electric PSIRT Security Advisory 2025-021 -- CVE-2026-1875
2. JVNVU93286687 -- Vulnerability in Mitsubishi Electric MELSEC iQ-F Series FX5-EIP Module