Mitsubishi Electric Air Conditioning Systems (Update B)

Act Now9.8ICS-CERT ICSA-25-177-01Jun 26, 2025

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric air conditioning systems contain an authentication bypass vulnerability (CWE-306) in their network management interfaces. Successful exploitation allows an attacker to gain unauthorized control of the system and access sensitive information including firmware, which could be used for further tampering. The vulnerability affects all versions of 26 different AC system models across gateway controllers, outdoor units, and management devices.

What this means

What could happen

An attacker could bypass authentication to gain unauthorized control of air conditioning systems, alter temperature setpoints or airflow, or steal system configuration and firmware details that could be used for further tampering or attacks.

Who's at risk

Facility and building managers responsible for Mitsubishi Electric air conditioning systems in commercial and industrial buildings, particularly in the energy sector. Affects gateway controllers (G, GB, AG series), outdoor units (AE, EW series), and management devices (TE, TW, CMS-RMD) across multiple geographic variants and refrigerant types.

How it could be exploited

An attacker on a network that can reach the air conditioning controller sends a request that bypasses authentication checks. Once authenticated, they can issue commands to change operational parameters, stop the system, or extract firmware and configuration data.

Prerequisites

Network access to the air conditioning system's management interface (typically HTTP/HTTPS port)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Affects facility operational systemsNo patch available for most models

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (27)

12 with fix15 EOL

ProductAffected VersionsFix Status

G-50: vers:all/*All versionsNo fix (EOL)

G-50-W: vers:all/*All versionsNo fix (EOL)

GB-50: vers:all/*All versionsNo fix (EOL)

GB-50A: vers:all/*All versionsNo fix (EOL)

GB-24A: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDEnable access restriction settings on supported models (AE series, EW series, TE/TW series Ver. 8.03 or later) to block connections from untrusted hosts

HARDENINGRestrict network access to air conditioning systems from untrusted networks; isolate AC management interface from general IT networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate to firmware version 8.03 or later for AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, TW-50A if available

HARDENINGEnsure operating systems and web browsers on computers that connect to air conditioning systems are updated to the latest versions

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: G-50: vers:all/*, G-50-W: vers:all/*, GB-50: vers:all/*, GB-50A: vers:all/*, GB-24A: vers:all/*, G-150AD: vers:all/*, AG-150A-A: vers:all/*, AG-150A-J: vers:all/*, EB-50GU-A: vers:all/*, EB-50GU-J: vers:all/*, G-50A: vers:all/*, GB-50AD: vers:all/*, GB-50ADA-A: vers:all/*, GB-50ADA-J: vers:all/*, CMS-RMD-J: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict physical access to air conditioning system hardware and computers that can access them

CVEs (1)

CVE-2025-3699

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb78ccb6-7ad3-4755-a3d3-04bce352e4f1