Mitsubishi ICS Software Flaw Exposes Credentials in Plaintext

Mitsubishi Electric Discloses Cleartext Credential Storage Vulnerability (CVE-2025-3784) in GX Works2 ICS Software

MEDIUM
November 27, 2025
6m read
VulnerabilityIndustrial Control SystemsPatch Management

Related Entities

Organizations

Mitsubishi Electric

Products & Tech

GX Works2

Other

Jiho Shin

CVE Identifiers

CVE-2025-3784
MEDIUM
CVSS:5.5
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1552.001Credential Access

Credentials In Files

T1078Defense Evasion

Valid Accounts

T0831Inhibit Response Function

Manipulation of Control

Full Report

Executive Summary

Mitsubishi Electric has disclosed an information disclosure vulnerability, CVE-2025-3784, in its GX Works2 industrial automation software. The advisory, released on November 27, 2025, states that all versions of the software are affected. The vulnerability, classified as CWE-312 (Cleartext Storage of Sensitive Information), allows for the extraction of plaintext credentials from project files. An attacker with local access to an engineering workstation could steal these credentials to gain unauthorized access to sensitive project files, potentially enabling them to alter critical industrial processes. The flaw has a CVSS v3 base score of 5.5 (Medium). A patched version is in development, and Mitsubishi has provided mitigation advice to reduce the risk of exploitation.

Vulnerability Details

The vulnerability is straightforward but has significant implications in an Industrial Control Systems (ICS) environment. GX Works2, used for programming and maintaining Mitsubishi Electric automation controllers (PLCs), insecurely stores user credentials within its project files (.gxwx).

  • CVE ID: CVE-2025-3784
  • CVSS Score: 5.5 (Medium)
  • Vulnerability Type: CWE-312: Cleartext Storage of Sensitive Information
  • Attack Vector: Local
  • Impact: An attacker with read access to a project file can extract credentials. These credentials can then be used to bypass authentication mechanisms protecting the project file, leading to unauthorized viewing or modification of the project's logic.

While the attack requires initial local access to the workstation where the project files are stored, this is a common scenario in multi-stage ICS attacks where an attacker first compromises an engineer's machine.

Affected Systems

  • Product: Mitsubishi Electric GX Works2
  • Versions: All versions are affected.

A fixed version of the software is currently under development.

Exploitation Status

There is no indication that this vulnerability is being actively exploited in the wild. However, its disclosure could lead to threat actors incorporating it into their toolkits for targeting industrial environments. The researcher Jiho Shin is credited with discovering and reporting the flaw.

Impact Assessment

An attacker who successfully exploits this vulnerability could gain the ability to modify the logic running on PLCs that control physical processes. This could lead to:

  • Process Disruption: Altering code to shut down a production line or cause equipment to malfunction (T0831 - Manipulation of Control).
  • Sabotage: Introducing subtle changes to a process that could damage equipment or create unsafe conditions.
  • Intellectual Property Theft: Stealing the proprietary logic and configurations that define a manufacturing process.

The requirement for local access lowers the CVSS score, but the potential impact on an OT environment remains high. In a targeted attack, gaining access to an engineering workstation is a key objective, making this vulnerability a valuable stepping stone for an adversary.

Cyber Observables for Detection

Type Value Description
file_path *.gxwx Monitor for unauthorized access, copying, or exfiltration of GX Works2 project files.
process_name GXW2.exe Monitor for unusual behavior from the main GX Works2 process.
user_account_pattern Logins to engineering workstations from non-engineering staff or at unusual times. Indicator of a compromised workstation.

Detection Methods

Detection should focus on protecting the engineering workstations and the project files themselves. Use File Integrity Monitoring (FIM) to alert on any unauthorized access or modification of .gxwx project files. EDR solutions on engineering workstations can detect suspicious activity, such as the exfiltration of these files to an external location. Network monitoring at the IT/OT boundary can also detect the transfer of these files out of the OT network. D3FEND's D3-LFP: Local File Permissions is the core defensive principle here.

Remediation Steps

Since a patch is not yet available, Mitsubishi Electric has provided the following interim mitigations:

  1. Restrict Access: Implement strict physical and logical access controls for PCs running GX Works2. Only authorized engineers should have access to these workstations.
  2. Network Hardening: Operate the affected PCs on a trusted local network and use firewalls or VPNs to block access from untrusted networks. Prevent these workstations from having direct internet access.
  3. File Permissions: Use operating system access controls to restrict access to the folders where GX Works2 project files are stored. Only authorized users should have read/write permissions.
  4. Antivirus Software: Install and maintain up-to-date antivirus software on the workstations to prevent the initial compromise that would grant an attacker local access.
  5. Apply Patch: Once the fixed version of GX Works2 is released, organizations should prioritize its deployment to all engineering workstations.

Timeline of Events

1
November 27, 2025
Mitsubishi Electric publishes a security advisory for CVE-2025-3784 in GX Works2.
2
November 27, 2025
This article was published

MITRE ATT&CK Mitigations

Restrict File and Directory Permissions

M1022

Apply strict file system permissions to prevent unauthorized users from accessing GX Works2 project files.

Mapped D3FEND Techniques:

D3-LFP

Privileged Account Management

M1026

Strictly control and monitor access to engineering workstations where sensitive project files are stored.

Mapped D3FEND Techniques:

D3-LAM

Update Software

M1051

Apply the patch from Mitsubishi Electric as soon as it becomes available.

Mapped D3FEND Techniques:

D3-SU

D3FEND Defensive Countermeasures

Local File Permissions

D3-LFPMaps to MITREM1022
D3FEND

As a primary mitigation for CVE-2025-3784, organizations must enforce strict Local File Permissions on all engineering workstations where GX Works2 is installed. The directories containing .gxwx project files should be locked down so that only the authorized engineers who work on those projects have read and write access. Standard user accounts on the workstation should not have permission to read these files. This control directly counters the 'Local Access' requirement of the attack. Even if an attacker compromises a standard user account on the workstation, they would be unable to access and parse the project files to steal the plaintext credentials, effectively stopping the attack chain.

File Integrity Monitoring

D3-FIMMaps to MITREM1047
D3FEND

To detect attempts to exploit CVE-2025-3784, deploy File Integrity Monitoring (FIM) on engineering workstations. Configure the FIM solution to specifically monitor the directories where GX Works2 project files are stored. The system should generate a high-priority alert for any unauthorized access attempts, file reads, or file copy operations involving .gxwx files, especially if the action is performed by a user or process other than the legitimate engineer or GXW2.exe. This provides a critical alert that an attacker with local access is attempting to steal sensitive project files, allowing for a rapid response to isolate the workstation and investigate the compromise.

User Account Management

D3-UAMMaps to MITREM1018
D3FEND

The exploit path for CVE-2025-3784 begins with an attacker gaining local access. Strong User Account Management on engineering workstations is therefore a critical preventative control. Enforce the principle of least privilege, ensuring that engineers do not use accounts with administrative privileges for daily tasks. All administrative access should be temporary and logged. Implement strong password policies and multi-factor authentication for workstation logins. By making it more difficult for an attacker to compromise an account on the engineering workstation, especially a privileged one, organizations can prevent the attacker from ever reaching the vulnerable project files in the first place.

Sources & References

Information Disclosure Vulnerability in GX Works2
Mitsubishi Electric (mitsubishielectric.com) November 27, 2025

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CVE-2025-3784Mitsubishi ElectricGX Works2ICSOT SecurityVulnerabilityCredential Storage

📢 Share This Article

Help others stay informed about cybersecurity threats

Continue Reading

Previous All Next