Critical Vulnerability in Mitsubishi Electric AC Systems Allows Remote Control
Mitsubishi Electric has revealed a serious authentication bypass vulnerability affecting 27 models of its air conditioning systems, potentially enabling remote attackers to gain unauthorized control over HVAC systems. Tracked as CVE-2025-3699, this vulnerability has a maximum CVSS score of 9.8, indicating its severity.
The flaw arises from a “Missing Authentication for Critical Function” weakness, allowing attackers to bypass authentication entirely. Once exploited, malicious actors can control air conditioning systems, access sensitive data, and tamper with firmware without any user interaction, making it particularly dangerous.
Discovered by security researcher Mihály Csonka, this vulnerability impacts a wide range of Mitsubishi Electric models, including the G-50, GB-50, AE-200, and EW-50 series, among others. All affected systems running firmware versions 3.37 and earlier (for G-series), 9.12 and earlier (for GB-24A), and others are vulnerable.
The risk is heightened in improperly configured environments where systems are directly accessible from the internet without VPN protection. In contrast, systems secured within internal networks or behind VPNs face significantly reduced risk.
Mitsubishi Electric has stated that there are no plans to release fixed firmware for most affected products, although improved versions for select models are in development. For immediate protection, the company recommends restricting network access from untrusted sources, limiting physical access to systems, and keeping antivirus software updated.
This disclosure underscores the growing security challenges in building automation and IoT infrastructure. Organizations using affected Mitsubishi Electric air conditioning systems should promptly assess their network configurations and implement recommended security measures to mitigate potential exploitation of this critical vulnerability.
Comment(s)
Recent Posts
