Mitsubishi Electric Air Conditioning System

Plan PatchCVSS 7.1ICS-CERT ICSA-21-182-04Jul 1, 2021

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredLow

ComplexityHigh

User InteractionNone needed

Summary

The vulnerability is an authentication bypass or improper authorization check in Mitsubishi Electric air conditioning centralized controllers and expansion controllers. An attacker with valid login credentials can impersonate an administrator to view and modify system configuration, operation information, and settings without proper authorization verification. Affected products include the G-50A, GB-50A, AG-150A-A/J, GB-50ADA-A/J, EB-50GU-A/J, AE-200A/E, AE-50A/E, EW-50A/E, TE-200A, TE-50A, TW-50A, CMS-RMD-J centralized controllers and PAC-YG50ECA expansion controller. CWE-303 (Incorrect Check for Unusual or Suspicious-Looking Source).

What this means

What could happen

An attacker with valid login credentials could impersonate an administrator and access the air conditioning system's configuration, potentially disclosing system settings, tampering with operation parameters like temperature setpoints, or disrupting HVAC operations that maintain facility environmental control.

Who's at risk

Operators at energy facilities, particularly electric utilities and district heating/cooling systems that rely on centralized HVAC control. Affected equipment includes Mitsubishi Electric air conditioning centralized controllers (G-50A, GB-50A, AG-150A series, EB-50GU series, AE series, EW series, TE series, TW series, GB-50ADA series, CMS-RMD-J) and expansion controller (PAC-YG50ECA). Any facility using these controllers for building or facility environmental control is at risk if credentials are weak or compromised.

How it could be exploited

An attacker with a valid username and password (or after cracking weak credentials) can authenticate to the centralized controller or expansion controller's management interface. Once authenticated, the attacker can bypass administrator checks and view or modify configuration data, operation parameters, and system settings without proper authorization verification.

Prerequisites

Valid user credentials (username and password) for the air conditioning system management interface
Network access to the management port of the centralized controller (G-50A, GB-50A, AG-150A, EB-50GU, AE series, EW series, TE series, TW series, GB-50ADA, CMS-RMD-J) or expansion controller (PAC-YG50ECA)
Ability to reach the device from the network (either local network access or internet exposure if not protected by firewall/VPN)

Requires valid credentials (not unauthenticated)High attack complexity (limits opportunistic exploitation)No patch available for many product versions (end-of-life products)Default credentials common in HVAC systemsConfiguration tampering could disrupt facility operations

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (19)

19 with fix

ProductAffected VersionsFix Status

G-50A:≥ 2.50 | ≤ 3.353.37+

GB-50ADA-A:≤ 3.203.37+

AG-150A-A:≤ 3.203.21+

AG-150A-J:≤ 3.203.21+

EB-50GU-J:≤ 7.097.10+

Remediation & Mitigation

0/7

Do now

0/4

HARDENINGImplement network access controls: place all air conditioning systems behind a firewall and restrict access from untrusted networks and hosts

HARDENINGRequire VPN usage for any internet-facing or remote access to air conditioning system management interfaces

HARDENINGChange all default usernames and passwords on air conditioning system controllers

HARDENINGIsolate air conditioning control networks from the business network and ensure systems are not directly accessible from the Internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected air conditioning centralized controllers to the fixed versions: G-50A and GB-50A to v3.37 or later; AG-150A-A/J and GB-50ADA-A/J to v3.21 or later; EB-50GU-A/J to v7.10 or later; AE-200A/E, AE-50A/E, EW-50A/E, TE-200A, TE-50A, and TW-50A to v7.95 or later; CMS-RMD-J to v1.40 or later

HOTFIXUpdate expansion controller PAC-YG50ECA to version 2.21 or later

Long-term hardening

0/1

HARDENINGInstall and maintain antivirus software on all engineering workstations and computers that connect to air conditioning systems

CVEs (1)

CVE-2021-20593

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f5f1c11e-5648-4ada-bc66-c3488b5b7888

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.