Mitsubishi Electric Air Conditioning Systems

Act Now9.3ICS-CERT ICSA-21-182-05Jul 1, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

XML External Entity (XXE) vulnerability in Mitsubishi Electric air conditioning system controllers. Successful exploitation allows an attacker to disclose sensitive data stored in the system or cause a denial-of-service condition. The vulnerability exists in multiple centralized controller models (G-50A, GB-50A, GB-24A, AG-150A, GB-50ADA, EB-50GU, AE-series, EW-series, TE-series, TW-series), expansion controllers (PAC-YG50ECA), and BM adapters (BAC-HD150).

What this means

What could happen

An attacker could extract sensitive data from the air conditioning control system or disrupt cooling operations, affecting building climate control and potentially impacting tenant comfort or equipment in data centers.

Who's at risk

Energy sector organizations that operate Mitsubishi Electric centralized air conditioning controllers (G-50A, GB-50A, GB-24A, AG-150A, GB-50ADA, EB-50GU, AE-200, AE-50, EW-50, TE-200, TE-50, TW-50 series), expansion controllers (PAC-YG50ECA), and BM adapters (BAC-HD150) in buildings, data centers, or control facilities. This includes facility managers and operators at utilities, hospitals, and large office buildings.

How it could be exploited

An attacker on the network (or the internet if the system is connected) sends a specially crafted request to the air conditioning controller. The vulnerability in XML parsing allows the attacker to read data from the system or trigger a denial-of-service condition that stops the controller from responding to commands.

Prerequisites

Network access to the air conditioning controller on TCP port 502 or HTTP/HTTPS ports
No credentials required to exploit the vulnerability
Air conditioning system must be reachable from the attacker's network (internet or internal)

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (9.3)Multiple models with no fix availableAffects building critical systems

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (21)

21 with fix

ProductAffected VersionsFix Status

GB-50ADA-A:≤ 3.203.37 or later

GB-24A:≤ 9.119.12 or later

EB-50GU-J:≤ 7.097.10 or later

AE-200E:≤ 7.937.95 or later

AE-50A:≤ 7.937.95 or later

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to air conditioning controllers: block inbound connections from untrusted networks using firewall rules, allow only authorized management workstations

HARDENINGDeploy air conditioning systems behind a VPN router if internet connectivity is required; do not expose controllers directly to the public internet

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected Mitsubishi air conditioning controllers to patched firmware versions: G-50A/GB-50A to 3.37+, GB-24A to 9.12+, AG-150A series to 3.21+, GB-50ADA series to 3.21+, EB-50GU series to 7.10+, AE-200/AE-50/EW-50/TE-200/TE-50/TW-50 series to 7.95+, CMS-RMD-J to 1.40+, PAC-YG50ECA to 2.21+, BAC-HD150 to 2.22+

Long-term hardening

0/1

HARDENINGInstall and maintain anti-virus software on all computers connected to air conditioning systems

CVEs (1)

CVE-2021-20595

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79bf05e2-53e8-4f55-a1ec-87817d38d7d7