CVE-2026-1875
Published: 03 March 2026
Summary
CVE-2026-1875 is a high-severity Improper Resource Shutdown or Release (CWE-404) vulnerability in Mitsubishielectric Melsec Iq-F Fx5-Eip Firmware. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Denial of Service (T1498); ranked at the 34.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).
Deeper analysis
CVE-2026-1875 is an Improper Resource Shutdown or Release vulnerability (CWE-404) in the Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module, affecting versions 1.000 and prior. Published on 2026-03-03, it carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), highlighting its potential for high-impact availability disruption without requiring authentication or user interaction.
A remote attacker can exploit this vulnerability by continuously sending UDP packets to the affected products, triggering a denial-of-service (DoS) condition. The attack leverages the module's failure to properly handle resource shutdown or release, rendering the device unresponsive until a manual system reset is performed for recovery.
Advisories from JVN (https://jvn.jp/vu/JVNVU93286687/), CISA (https://www.cisa.gov/news-events/ics-advisories/icsa-26-62-01), and Mitsubishi Electric (https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-021_en.pdf) provide further details on mitigation strategies for this vulnerability.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-9281
Vulnerability details
Improper Resource Shutdown or Release vulnerability in Mitsubishi Electric Corporation MELSEC iQ-F Series FX5-EIP EtherNet/IP Module FX5-EIP versions 1.000 and prior allows a remote attacker to cause a denial-of-service (DoS) condition on the products by continuously sending UDP packets to…
more
the products. A system reset of the product is required for recovery.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote UDP-based flooding to trigger DoS on the network device, directly mapping to Network Denial of Service.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly remediates the improper resource shutdown or release flaw in the FX5-EIP EtherNet/IP module by applying vendor patches or updates.
Implements denial-of-service protections to block or limit continuous UDP packet floods that trigger the DoS condition.
Enforces resource availability protections, such as queuing limits and allocation thresholds, to prevent exhaustion from improper UDP packet handling.