Mitsubishi Electric Air Conditioning System
Plan Patch7.1ICS-CERT ICSA-21-182-04Jul 1, 2021
Attack VectorNetwork
Auth RequiredLow
ComplexityHigh
User InteractionNone needed
Summary
The vulnerability is an authentication bypass or improper authorization check in Mitsubishi Electric air conditioning centralized controllers and expansion controllers. An attacker with valid login credentials can impersonate an administrator to view and modify system configuration, operation information, and settings without proper authorization verification. Affected products include the G-50A, GB-50A, AG-150A-A/J, GB-50ADA-A/J, EB-50GU-A/J, AE-200A/E, AE-50A/E, EW-50A/E, TE-200A, TE-50A, TW-50A, CMS-RMD-J centralized controllers and PAC-YG50ECA expansion controller. CWE-303 (Incorrect Check for Unusual or Suspicious-Looking Source).
What this means
What could happen
An attacker with valid login credentials could impersonate an administrator and access the air conditioning system's configuration, potentially disclosing system settings, tampering with operation parameters like temperature setpoints, or disrupting HVAC operations that maintain facility environmental control.
Who's at risk
Operators at energy facilities, particularly electric utilities and district heating/cooling systems that rely on centralized HVAC control. Affected equipment includes Mitsubishi Electric air conditioning centralized controllers (G-50A, GB-50A, AG-150A series, EB-50GU series, AE series, EW series, TE series, TW series, GB-50ADA series, CMS-RMD-J) and expansion controller (PAC-YG50ECA). Any facility using these controllers for building or facility environmental control is at risk if credentials are weak or compromised.
How it could be exploited
An attacker with a valid username and password (or after cracking weak credentials) can authenticate to the centralized controller or expansion controller's management interface. Once authenticated, the attacker can bypass administrator checks and view or modify configuration data, operation parameters, and system settings without proper authorization verification.
Prerequisites
- Valid user credentials (username and password) for the air conditioning system management interface
- Network access to the management port of the centralized controller (G-50A, GB-50A, AG-150A, EB-50GU, AE series, EW series, TE series, TW series, GB-50ADA, CMS-RMD-J) or expansion controller (PAC-YG50ECA)
- Ability to reach the device from the network (either local network access or internet exposure if not protected by firewall/VPN)
Requires valid credentials (not unauthenticated)High attack complexity (limits opportunistic exploitation)No patch available for many product versions (end-of-life products)Default credentials common in HVAC systemsConfiguration tampering could disrupt facility operations
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (19)
19 with fix
ProductAffected VersionsFix Status
G-50A:≥ 2.50 | ≤ 3.353.37 or later
GB-50ADA-A:≤ 3.203.37 or later
AG-150A-A:≤ 3.203.21 or later
AG-150A-J:≤ 3.203.21 or later
EB-50GU-J:≤ 7.097.10 or later
Remediation & Mitigation
0/7
Do now
0/4HARDENINGImplement network access controls: place all air conditioning systems behind a firewall and restrict access from untrusted networks and hosts
HARDENINGRequire VPN usage for any internet-facing or remote access to air conditioning system management interfaces
HARDENINGChange all default usernames and passwords on air conditioning system controllers
HARDENINGIsolate air conditioning control networks from the business network and ensure systems are not directly accessible from the Internet
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected air conditioning centralized controllers to the fixed versions: G-50A and GB-50A to v3.37 or later; AG-150A-A/J and GB-50ADA-A/J to v3.21 or later; EB-50GU-A/J to v7.10 or later; AE-200A/E, AE-50A/E, EW-50A/E, TE-200A, TE-50A, and TW-50A to v7.95 or later; CMS-RMD-J to v1.40 or later
HOTFIXUpdate expansion controller PAC-YG50ECA to version 2.21 or later
Long-term hardening
0/1HARDENINGInstall and maintain antivirus software on all engineering workstations and computers that connect to air conditioning systems
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f5f1c11e-5648-4ada-bc66-c3488b5b7888