CVE-2025-10089
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-18

Last updated on: 2025-11-27

Assigner: Mitsubishi Electric Corporation

Description
Uncontrolled Search Path Element Vulnerability in Setting and Operation Application for Lighting Control System MILCO.S Setting Application all versions, MILCO.S Setting Application (IR) all versions, MILCO.S Easy Setting Application (IR) all versions, and MILCO.S Easy Switch Application (IR) all versions allows a local attacker to execute malicious code by having installer to load a malicious DLL. However, if the signer name "Mitsubishi Electric Lighting" appears on the "Digital Signatures" tab of the properties for "MILCO.S Lighting Control.exe", the application is a fixed one. This vulnerability only affects when the installer is run, not after installation. If a user downloads directly from Mitsubishi Electric website and installs the affected product, there is no risk of malicious code being introduced.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-18
Last Modified
2025-11-27
Generated
2026-05-07
AI Q&A
2025-11-18
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10089
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
mitsubishi electric_lighting_control 3.1
mitsubishi milco.s_easy_switch_application *
mitsubishi milco.s_setting_application *
mitsubishi milco.s_easy_setting_application *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-427 The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability allows a local attacker to execute malicious code by tricking the installer of the MILCO.S Lighting Control System applications into loading a malicious DLL. It only affects the installer process, not the application after installation. If the application is digitally signed by "Mitsubishi Electric Lighting," it is fixed. Also, installing directly from the official company website prevents this risk.


How can this vulnerability impact me? :

If exploited, this vulnerability can allow a local attacker to execute malicious code on your system during the installation of the affected MILCO.S Lighting Control System applications. This could lead to compromise of confidentiality, integrity, and availability of your system.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking the digital signature of the file "MILCO.S Lighting Control.exe". If the signer name "Mitsubishi Electric Lighting" appears on the "Digital Signatures" tab of the file properties, the application is fixed and not vulnerable. There are no specific network detection commands provided. You can verify the digital signature on Windows by right-clicking the executable, selecting Properties, and viewing the Digital Signatures tab. Alternatively, you can use the command: "sigcheck -q -m <path_to_MILCO.S Lighting Control.exe>" from Sysinternals to check the signer.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the installer used is from the official company website and verify that the "MILCO.S Lighting Control.exe" file has the digital signature with the signer name "Mitsubishi Electric Lighting". Avoid running installers from untrusted sources. Since the vulnerability only affects the installer execution phase, do not run installers from unknown or unverified sources.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart