Which Mitsubishi Electric air conditioning controllers are affected?

The vulnerability impacts a comprehensive range of controllers including G-50, G-50-W, G-50A series; GB-50, GB-50A, GB-24A series (Version 3.37 and prior); AE-200J/A/E, AE-50J/A/E series; EW-50J/A/E series; TE-200A, TE-50A series; TW-50A series; G-150AD, AG-150A-A/J series; GB-50AD, GB-50ADA-A/J series; and additional models across the Mitsubishi Electric commercial HVAC product line.

Are patches available for the affected systems?

Currently, no patches are available for the majority of affected Mitsubishi Electric models. The company is actively preparing improved firmware versions for select controller series, including AE-200J/A/E, AE-50J/A/E, EW-50J/A/E, TE-200A, TE-50A, and TW-50A models. Organizations should contact Mitsubishi Electric directly for updates on patch availability and deployment timelines.

What immediate security measures should organizations implement?

CISA strongly recommends implementing network hardening measures including: restricting access to air conditioning controllers through firewalls, isolating these systems in dedicated VLANs or behind VPN connections, and implementing physical security measures like securing server rooms and HVAC control panels to prevent unauthorized local access.

How severe is this vulnerability?

This is a critical vulnerability with a CVSS score of 9.8 out of 10, indicating maximum severity. The high score reflects the ease of exploitation (no authentication required) and the significant impact on industrial HVAC infrastructure security.

What type of systems are at risk from this vulnerability?

Industrial HVAC infrastructure using Mitsubishi Electric air conditioning control systems is at risk. This includes commercial buildings, industrial facilities, and other organizations that rely on these controllers for climate control operations.

Advisory

Critical vulnerability exposes Mitsubishi Electric Air Conditioning Controllers to remote takeover

Q: What is the critical vulnerability found in Mitsubishi Electric air conditioning systems?

CISA has reported a critical vulnerability tracked as CVE-2025-3699 with a CVSS score of 9.8. The vulnerability is classified as 'Missing Authentication for Critical Function' in the web interfaces of Mitsubishi Electric air conditioning controllers, allowing remote attackers to gain unauthorized control over industrial HVAC infrastructure.

Q: What can attackers do with this vulnerability?

Remote, unauthenticated attackers can circumvent login mechanisms and gain unauthorized access to HVAC systems. Once successful, malicious actors can illegally control HVAC operations, access sensitive system information, and tamper with device firmware using disclosed configuration data.

published: June 27, 2025

Take action: If you have Mitsubishi Electric air conditioning controllers, make sure they are isolated from the internet and accessible only from trusted networks. Also make sure thar physical access to HVAC control panels is properly secured. Then contact Mitsubishi Electric for patch availability.

Learn More

CISA is reporting a critical vulnerability in Mitsubishi Electric air conditioning control systems that could allow remote attackers to gain unauthorized control over industrial HVAC infrastructure.

This vulnerability is tracked as CVE-2025-3699 (CVSS score 9.8) "Missing Authentication for Critical Function" in the web interfaces of affected air conditioning controllers. This flaw enables remote, unauthenticated attackers to circumvent the login mechanisms and gain unauthorized access. Once successful, malicious actors can illegally control HVAC operations, access sensitive system information, and tamper with device firmware using disclosed configuration data.

The vulnerability impacts a comprehensive range of Mitsubishi Electric air conditioning controllers, including but not limited to:

G-50, G-50-W, G-50A series controllers
GB-50, GB-50A, GB-24A series (Version 3.37 and prior)
AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E series
EW-50J, EW-50A, EW-50E series controllers
TE-200A, TE-50A series controllers
TW-50A series controllers
G-150AD, AG-150A-A, AG-150A-J series
GB-50AD, GB-50ADA-A, GB-50ADA-J series
Additional models across the Mitsubishi Electric commercial HVAC product line

Currently, no patches are available for the majority of affected Mitsubishi Electric models. The company is actively preparing improved firmware versions for select controller series, including AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, and TW-50A models. Organizations should contact Mitsubishi Electric directly for updates on patch availability and deployment timelines for their specific equipment.

CISA strongly recommends implementing network hardening measures. Organizations should restrict access to air conditioning controllers through firewalls and isolate these systems in dedicated VLANs or behind VPN connections and implement physical security measures like securing server rooms and HVAC control panels to prevent unauthorized local access.

Critical vulnerability exposes Mitsubishi Electric Air Conditioning Controllers to remote takeover

Read More
Rockwell Automation vulnerability exploited in the wild by …
Team82 Researchers report multiple flaws in Axis Communications …
Siemens reports vulnerabilities in SINEMA Remote Connect Client, …
The critical Erlang/OTP SSH flaw actively exploited targeting …
Critical vulnerability reported in Milesight UR32L industrial routers