Mitsubishi Electric AC Flaw Lets Hackers Remotely Control Systems

A critical security vulnerability has been discovered in multiple Mitsubishi Electric air conditioning systems, potentially allowing hackers to bypass authentication and remotely control affected units.

The flaw, identified as CVE-2025-3699, was disclosed by Mitsubishi Electric on June 26, 2025, and has been assigned a maximum CVSS base score of 9.8, indicating its severity.

Authentication Bypass Exposes Building HVAC Systems

The vulnerability stems from missing authentication for critical functions in the web interfaces of the affected air conditioning models.

If exploited, an attacker could gain unauthorized access, manipulate system settings, disclose sensitive information, and even tamper with device firmware. 

This could disrupt climate control in offices, data centers, or any building using these systems, posing risks to safety, privacy, and operational continuity.

Wide Range of Products Affected

The flaw impacts a broad lineup of Mitsubishi Electric air conditioning controllers, including but not limited to the following models and versions:

• G-50, G-50-W, G-50A, GB-50, GB-50A, GB-24A (Ver. 3.37 and prior)
• G-150AD, AG-150A-A, AG-150A-J, GB-50AD, GB-50ADA-A, GB-50ADA-J (Ver. 3.21 and prior)
• EB-50GU-A, EB-50GU-J (Ver. 7.11 and prior)
• AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, TW-50A (Ver. 8.01 and prior)
• CMS-RMD-J (Ver. 1.40 and prior)

Mitsubishi Electric notes that the risk of exploitation is highly dependent on how the system is configured.

If the air conditioning controllers are deployed within a secure intranet or protected by a VPN, the vulnerability cannot be exploited from the internet.

However, systems exposed to external networks without proper isolation or VPN protection are at significant risk.

No Immediate Patch, Mitigations Recommended

Currently, there is no fixed version available for most affected products. Mitsubishi Electric is preparing improved versions for some models but urges customers to take immediate mitigation steps:

• Restrict access from untrusted networks and hosts.
• Limit physical access to both the air conditioning systems and the computers connected to them.
• Ensure computers used to access the systems are protected with up-to-date antivirus software, operating systems, and web browsers.

The vulnerability was reported by security researcher Mihály Csonka. Mitsubishi Electric is working on updates for certain models and advises all customers to review their system configurations and apply recommended mitigations to prevent unauthorized access.

Organizations using Mitsubishi Electric air conditioning systems should act swiftly to secure their networks and consult with their local Mitsubishi Electric representatives for further guidance.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates