Mitsubishi Electric Air Conditioning Systems

Act Now7.5ICS-CERT ICSA-22-160-01Jun 9, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Mitsubishi Electric air conditioning system models (firmware versions 7.97 and earlier, plus select older models at 3.21 and 7.10) are vulnerable to weak or missing encryption in communication protocols (CWE-327, CWE-200, CWE-300). An attacker with network access could read sensitive data being transmitted between the AC unit and external computers, or inject commands to tamper with system operation or cause denial-of-service. The vulnerabilities affect AE series (AE-200A/E/J, AE-50A/E/J), AG series (AG-150A-A/J), EB series (EB-50GU-A/J), EW series (EW-50A/E/J), G series (G-150AD), GB series (GB-50AD, GB-50ADA-A/J), TE series (TE-200A, TE-50A), and TW series (TW-50A). Vendor has released patches for most models but several older models are end-of-life and require replacement.

What this means

What could happen

An attacker with network access to a Mitsubishi Electric air conditioning system could read or modify commands and data in communication with external computers, potentially disrupting climate control or causing process interruptions. Alternatively, they could trigger a denial-of-service condition that stops the system.

Who's at risk

Facilities and utilities managing Mitsubishi Electric air conditioning systems should care about this vulnerability. The affected products are building climate control units used in commercial and industrial facilities, including energy sector infrastructure where cooling is critical for equipment or personnel comfort. Both older models (G-150AD, AG-150A, GB-50AD series) and current models (AE-200, AE-50, EW-50, TE, TW series) are affected.

How it could be exploited

An attacker on the same network as the air conditioning system (or the Internet if exposed) could intercept and manipulate unencrypted or weakly encrypted communication between the AC unit and external management computers. By inserting malicious commands or modifying setpoints, they could alter operating conditions or crash the system.

Prerequisites

Network access to the air conditioning system (direct network presence or exposed to Internet)
No authentication required to intercept or tamper with communications

Remotely exploitable over networkNo authentication requiredLow complexity to exploitHigh EPSS score (90.8%)Some products have no patch available (end-of-life models require replacement)

Exploitability

High exploit probability (EPSS 90.8%)

Affected products (20)

20 with fix

ProductAffected VersionsFix Status

AE-200A:≤ 7.977.98

AE-200E:≤ 7.977.98

AE-200J:≤ 7.977.98

AE-50A:≤ 7.977.98

AE-50E:≤ 7.977.98

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to air conditioning systems from untrusted networks and hosts using firewall rules

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AE-200A, AE-200E, AE-200J, AE-50A, AE-50E, AE-50J, EW-50A, EW-50E, EW-50J, TE-200A, TE-50A, and TW-50A to firmware version 7.98 or later

HOTFIXUpdate EB-50GU-A and EB-50GU-J to firmware version 7.11 or later

HOTFIXReplace end-of-life models G-150AD, AG-150A-A, AG-150A-J, GB-50AD, GB-50ADA-A, and GB-50ADA-J with updated versions (AE-200 or AE-50 or EW-50 series version 7.98 or later)

Long-term hardening

0/2

HARDENINGIsolate air conditioning system networks from the business network using firewalls

HARDENINGUpdate anti-virus software and the operating system on any computer used to manage the air conditioning system

CVEs (5)

CVE-2022-24296 CVE-2016-2183 CVE-2013-2566 CVE-2015-2808 CVE-2009-3555

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/26b57846-ef17-40e9-b16b-04ba426f5537