Mitsubishi Electric Air Conditioning Systems Vulnerable to Remote Authentication Bypass (CVSS 9.8)
Ddos 
Image: Mitsubishi Electric
A newly disclosed critical vulnerability—CVE-2025-3699—affecting a wide range of Mitsubishi Electric air conditioning system models has raised serious cybersecurity concerns. With a CVSS v3.1 base score of 9.8, this authentication bypass vulnerability enables remote attackers to illegally control HVAC systems or tamper with their firmware without needing credentials.
According to Mitsubishi Electric:
“An attacker may bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for the affected products using the disclosed information.”
This flaw is categorized under CWE-306: Missing Authentication for Critical Function, allowing unauthorized users to gain control over devices directly if improperly secured.
The vulnerability affects a long list of Mitsubishi Electric models, including:
- G-50 / GB-50 / AE-200J / AE-50A / EW-50E / TE-50A, and many others.
- All affected models are vulnerable in versions prior to their respective latest firmware builds—for example, G-50 Ver.3.37 and prior, or AE-200J Ver.8.01 and prior.
Mitsubishi illustrates three system configurations to highlight when this vulnerability is exploitable:
- System Example 1 (intranet-only setup): Not exploitable from the internet.
- System Example 2 (external access via VPN): Still secure if VPN is properly configured.
- System Example 3 (external access without VPN): Vulnerable to remote exploitation.
“In case of System Example 3, if an attacker tries to exploit the vulnerabilities from internet, the attack may succeed. Please make sure that your system is configured correctly as recommended by Mitsubishi Electric,” the advisory warns.
While fixes are being prepared for certain models, there are currently no publicly available patches. Mitsubishi Electric urges customers to implement strict mitigations:
- Restrict access from untrusted networks and hosts.
- Limit physical access to systems and connected computers.
- Ensure antivirus protection and fully updated operating systems and web browsers.
“To minimize the risk of this vulnerability being exploited, please make sure that your air conditioning system is configured correctly as recommended by Mitsubishi Electric,” the advisory recommends.
Related Posts:
- Industrial Systems at Risk: Critical Mitsubishi MELSEC Flaw (CVSS 9.1), No Patch
- Massive Illegal Streaming Network Dismantled in Europe-Wide Operation
- Schneider Electric Warns of Multiple Vulnerabilities in Modicon Controllers
- Microsoft Uncovers Massive Malvertising Campaign Distributing Info Stealers via GitHub
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
