Mitsubishi Electric Air Conditioning Systems (Update B)

Plan PatchCVSS 9.8ICS-CERT ICSA-25-177-01Jun 26, 2025

Mitsubishi ElectricEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Mitsubishi Electric air conditioning system controllers (AE, EW, TE, TW, G, GB, EB, and AG series) contain an authentication bypass vulnerability (CWE-306). An unauthenticated attacker on the network can bypass authentication controls to gain unauthorized access, modify system settings, or extract firmware. Twelve product models support patching to version 8.03 or later. Ten product models (G-50, G-50-W, G-50A, GB-50 series, G-150AD, AG-150A series, EB-50GU series, and CMS-RMD-J) will not be patched and require network isolation as the primary mitigation.

What this means

What could happen

An attacker could bypass authentication on affected air conditioning systems to gain unauthorized control or access sensitive information. The attacker may also extract firmware to enable tampering with the system or deploying future attacks.

Who's at risk

Energy sector operators managing Mitsubishi Electric air conditioning systems should be aware that 10 product models have no available patch and must rely on network isolation. Twelve product models can be patched to version 8.03 or later. Building facility managers and utilities operating large HVAC installations are most affected.

How it could be exploited

An attacker with network access to an affected Mitsubishi Electric air conditioning controller can bypass authentication without credentials. Once authenticated, they can modify system setpoints, disable cooling/heating, or extract sensitive information such as firmware images for further analysis or modification.

Prerequisites

Network access to the air conditioning system's management interface (typically TCP port 80 or 443)
No valid credentials required

Remotely exploitableNo authentication requiredLow complexityCritical severity (CVSS 9.8)No patch available for 10 product modelsAffects critical facility infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (27)

12 with fix15 EOL

ProductAffected VersionsFix Status

G-50: vers:all/*All versionsNo fix (EOL)

G-50-W: vers:all/*All versionsNo fix (EOL)

GB-50: vers:all/*All versionsNo fix (EOL)

GB-50A: vers:all/*All versionsNo fix (EOL)

GB-24A: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to air conditioning system management interfaces from untrusted networks using firewall rules or access control lists

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A controllers to firmware version 8.03 or later

HARDENINGFor AE-200 and AE-50 series running version 8.03 or later, enable access restriction settings in section 6-3-3 of the Instruction Book to block connections from untrusted hosts

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: G-50: vers:all/*, G-50-W: vers:all/*, GB-50: vers:all/*, GB-50A: vers:all/*, GB-24A: vers:all/*, G-150AD: vers:all/*, AG-150A-A: vers:all/*, AG-150A-J: vers:all/*, EB-50GU-A: vers:all/*, EB-50GU-J: vers:all/*, G-50A: vers:all/*, GB-50AD: vers:all/*, GB-50ADA-A: vers:all/*, GB-50ADA-J: vers:all/*, CMS-RMD-J: vers:all/*. Apply the following compensating controls:

HARDENINGRestrict physical access to air conditioning controllers and computers that can access them

CVEs (1)

CVE-2025-3699

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb78ccb6-7ad3-4755-a3d3-04bce352e4f1

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.