Overview
CVE-2025-10089 describes a high-severity vulnerability affecting several versions of Mitsubishi Electric’s MILCO.S lighting control system applications. This vulnerability allows a local attacker to execute malicious code by tricking the installer into loading a malicious DLL. Crucially, the risk is present only during the installer execution phase and is mitigated if the software is downloaded directly from the official Mitsubishi Electric website. If the digital signature of “MILCO.S Lighting Control.exe” displays “Mitsubishi Electric Lighting,” the application is a fixed version and not susceptible to the vulnerability.
Technical Details
The vulnerability stems from a potential DLL injection during the installation process. An attacker with local access could replace a legitimate DLL file with a malicious one. When the installer runs, it loads the malicious DLL, allowing the attacker to execute arbitrary code within the context of the installer. This could lead to system compromise, data theft, or other malicious activities. The applications affected include:
- MILCO.S Setting Application (all versions)
- MILCO.S Setting Application (IR) (all versions)
- MILCO.S Easy Setting Application (IR) (all versions)
- MILCO.S Easy Switch Application (IR) (all versions)
Important Note: This vulnerability is limited to the installer execution. Once the software is installed and running, the risk is no longer present. Furthermore, verifying the digital signature of “MILCO.S Lighting Control.exe” can confirm if the installed version is patched.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-10089 is 7.0 (HIGH).
This score reflects the following characteristics:
- Attack Vector: Local (L) – Requires local access to the system.
- Attack Complexity: Low (L) – The attack is relatively easy to perform.
- Privileges Required: None (N) – No special privileges are needed to execute the attack.
- User Interaction: Required (R) – Requires a user to run the installer.
- Scope: Unchanged (U) – The vulnerability only impacts the application itself.
- Confidentiality Impact: High (H) – Potential for significant data disclosure.
- Integrity Impact: High (H) – Potential for complete system compromise.
- Availability Impact: High (H) – Potential for complete system unavailability.
Possible Impact
Successful exploitation of this vulnerability could allow a local attacker to:
- Execute arbitrary code with the privileges of the user running the installer.
- Compromise the system’s integrity.
- Steal sensitive data.
- Potentially escalate privileges, depending on the context of the installer.
However, the impact is limited to the period when the installer is running. The risk is also mitigated if the software is obtained directly from Mitsubishi Electric’s official website.
Mitigation and Patch Steps
The primary mitigation steps are:
- Download software only from the official Mitsubishi Electric website: This ensures the integrity of the installer and reduces the risk of downloading a compromised version.
- Verify the digital signature: Before running the installer, check the digital signature of “MILCO.S Lighting Control.exe”. If the signer name is “Mitsubishi Electric Lighting,” the application is a fixed one.
- Exercise caution: Be wary of running installers from untrusted sources.
- Keep security software up to date: Ensure that antivirus and other security software are current to detect and prevent malicious DLL injection attempts.
Refer to the official Mitsubishi Electric advisory for the latest information and any available patches:
