CVE-2025-10089

HIGH

MILCO.S Setting App - Code Injection

Title source: llm

Description

Uncontrolled Search Path Element Vulnerability in Setting and Operation Application for Lighting Control System MILCO.S Setting Application all versions, MILCO.S Setting Application (IR) all versions, MILCO.S Easy Setting Application (IR) all versions, and MILCO.S Easy Switch Application (IR) all versions allows a local attacker to execute malicious code by having installer to load a malicious DLL. However, if the signer name "Mitsubishi Electric Lighting" appears on the "Digital Signatures" tab of the properties for "MILCO.S Lighting Control.exe", the application is a fixed one. This vulnerability only affects when the installer is run, not after installation. If a user downloads directly from Mitsubishi Electric website and installs the affected product, there is no risk of malicious code being introduced.

References (2)

[Third Party Advisory] https://jvn.jp/vu/JVNVU97181602/

[Various Sources] https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-015_en.pdf

Scores

CVSS v3 7.7

EPSS 0.0001

EPSS Percentile 1.7%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (4)

Mitsubishi Electric Corporation/MILCO.S Easy Setting Application (IR) All versions

Mitsubishi Electric Corporation/MILCO.S Easy Switch Application (IR) All versions

Mitsubishi Electric Corporation/MILCO.S Setting Application All versions

Mitsubishi Electric Corporation/MILCO.S Setting Application (IR) All versions

Published Nov 18, 2025

Tracked Since Feb 18, 2026