Critical authentication bypass flaw reported in Mitsubishi Electric air conditioning systems
Take action: If you have Mitsubishi Electric air conditioning systems review this advisory in detail to check if your system is affected. Make sure that the isolate the HVAC from the internet and ensure they're only accessible from trusted internal networks or through VPN. Since most models won't receive security fixes, network isolation is your primary protection.
Learn More
Mitsubishi Electric is reporting a critical authentication bypass vulnerability affecting multiple air conditioning system models used in commercial facilities worldwide.
The vulnerability is tracked as CVE-2025-3699 (CVSS score 9.8), and allows remote attackers to completely bypass authentication mechanisms and gain unauthorized control over building HVAC infrastructure. Attackers could manipulate operational parameters, disrupt service availability in critical facilities such as data centers, hospitals, and manufacturing plants, and potentially establish persistent control through firmware tampering.
Affected Mitsubishi Electric air conditioning systems:
- G-50, G-50-W, G-50A (all versions)
- GB-50, GB-50A, GB-24A, GB-50AD, GB-50ADA-A, GB-50ADA-J (all versions)
- G-150AD, AG-150A-A, AG-150A-J (all versions)
- EB-50GU-A, EB-50GU-J (all versions)
- AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E (all versions)
- EW-50J, EW-50A, EW-50E (all versions)
- TE-200A, TE-50A, TW-50A (all versions)
- CMS-RMD-J (all versions)
Mitsubishi Electric has announced there are no plans to release fixed firmware versions for most affected products. The company is preparing improved versions for select models including AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A (version 8.03 or later). These models will support access restriction settings.
Mitsubishi Electric emphasizes that their air conditioning systems are designed for use within secure intranet environments or networks protected by VPN infrastructure.
