Critical Mitsubishi Electric HVAC Vulnerability: Risks and Remediation Strategies

Few cybersecurity issues generate as much alarm—or as many practical ramifications—as those affecting building automation and industrial control systems. This has once again been underscored by a recent vulnerability uncovered in Mitsubishi Electric air conditioning systems, outlined by the Cybersecurity and Infrastructure Security Agency (CISA) and documented under CVE-2025-3699. Characterized as a missing authentication flaw with a CVSS v4 base score of 9.3, this bug has the potential not only to disrupt the comfort of building tenants but also to threaten uptime, operational safety, and privacy in facilities ranging from commercial offices to critical infrastructure.

Critical Vulnerability in Building Climate Control​

Rarely does a single vulnerability attract unanimous concern across IT security, facilities management, and operational technology (OT) circles. But the high-severity flaw discovered in multiple Mitsubishi Electric air conditioning products is exceptional both in its simplicity—missing authentication for critical function—and in its potential for widespread exploitation. According to both official advisories and independent expert analysis, the flaw is trivial to exploit remotely, requires no user interaction or privileges, and if left unaddressed, could grant an attacker full, unauthorized control over affected systems.

At a Glance: CVE-2025-3699​

Vendor: Mitsubishi Electric
Affected Equipment: Air conditioners, control panels, and network gateway units used in commercial and industrial facilities
Severity (CVSS v4): 9.3
Attack Complexity: Low—exploitable remotely, no authentication required
Potential Impact: Full remote takeover, data disclosure, and possible firmware tampering

“Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system.”
— CISA Advisory ICSA-25-177-01

Products Affected: Legacy and Modern, Global Reach​

The risk associated with this vulnerability is amplified by the breadth of products affected. Mitsubishi Electric’s portfolio of building climate control systems is vast and globally deployed, with use spanning from high-rise office towers in Asia and Europe to critical infrastructure facilities in North America.
According to Mitsubishi Electric’s official disclosure, the following products and software versions are confirmed as vulnerable:

• G-50, G-50-W, G-50A, GB-50, GB-50A, GB-24A: Various versions with 3.37, 9.12, and prior
• G-150AD, AG-150A-A, AG-150A-J, GB-50AD, GB-50ADA-A, GB-50ADA-J: Version 3.21 and prior
• EB-50GU-A, EB-50GU-J: Version 7.11 and prior
• AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E: Version 8.01 and prior
• TE-200A, TE-50A, TW-50A: Version 8.01 and prior
• CMS-RMD-J: Version 1.40 and prior

These products represent numerous generations of system controllers, gateways, and interface panels, many of which are still in-service due to their durability and modular upgrade options. Notably, the attack surface includes both physical hardware and the embedded firmware—complicating patch rollout and remediation for global operators.

Industries and Geographies​

While not exclusively deployed in critical infrastructure, Mitsubishi’s HVAC systems are prevalent in commercial real estate, universities, hospitals, government buildings, and data centers. CISA’s advisory specifically highlights commercial facilities but notes worldwide distribution. The company itself is headquartered in Japan, but its air conditioning and automation solutions are deeply embedded in real estate and industrial sectors across North America, Europe, Asia, and beyond.

Anatomy of the Flaw: Missing Authentication for Critical Functions​

The vulnerability, classified under CWE-306 (“Missing Authentication for Critical Function”), is as straightforward as it is impactful. Security researchers, including Mihály Csonka who coordinated disclosure with Mitsubishi Electric, identified that critical system functions could be accessed and manipulated without any form of authentication.

Potential Attack Scenarios​

Attackers who find a vulnerable Mitsubishi Electric controller exposed to a network—either via misconfiguration, poor segmentation, or deliberate remote access—can:

• Issue unauthorized commands to turn HVAC units on or off, disrupting cooling or heating for entire facilities.
• Alter temperature set points, fan speeds, and operation modes, leading to uncomfortable or unsafe conditions.
• Extract sensitive information about building operations or system topology.
• Tamper with the firmware, potentially installing persistent malware for future ICS attacks.

A key detail is the remote, low-complexity vector for exploitation. The attacker needs only the ability to reach the affected device over the network, making devices exposed to the internet or weak internal segmentation especially vulnerable.

CVSS Analysis​

The severity of CVE-2025-3699 is captured by its CVSS base scores: 9.8 (v3.1) and 9.3 (v4.0). Broken down, this reflects:

• AV:N (Network): Attackable over network
• AC:L (Low Attack Complexity): No complex conditions
• PR:N (No Privileges): No authentication needed
• UI:N (No User Interaction): Zero user interaction required
• C:H, I:H, A:H (High confidentiality, integrity, and availability impacts): Reflects risk of data disclosure, system hijack, and denial of service

The exploit vector string—CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N—indicates that neither system scope nor social engineering is required. The whole attack could be driven by scanning and automated exploitation tools.

Technical and Operational Implications​

Facility Disruption and Safety​

Most HVAC vulnerabilities are regarded as “high inconvenience, low risk” because they typically disrupt operations rather than facilitate direct theft or destruction. However, Mitsubishi’s widespread deployment in large building complexes, hospitals, and critical systems means a mass exploit could induce real physical consequences—overheating data centers, undermining pharmaceutical storage, or triggering false environmental alarms.
Research from experts in industrial cybersecurity demonstrates that firmware tampering and illegal remote control of environmental systems can serve as stepping stones for more advanced attacks—providing persistence, pivot points, or distractions for other intrusions. In the case of connected or integrated building management systems, the consequences could cascade far beyond localized discomfort.

Potential Privacy Risks​

In addition to control, affected systems may disclose sensitive information. Attackers could gather intelligence on building occupancy, layout, and operational schedules, feeding targeted phishing attacks or even facilitating physical intrusion. This is especially pronounced where Mitsubishi’s controllers are integrated into broader building or security networks.

Long-Term Security Debt​

One of the greatest challenges in building automation and OT cybersecurity is the longevity of hardware deployments. Unlike consumer IT equipment, which is refreshed every few years, climate control and industrial systems can remain in operation for a decade or more—sometimes long after vendor support has ended. This complicates patch cycles.
Site operators may lack documentation for their specific models or have inherited legacy infrastructure during renovations. Asset visibility, firmware version tracking, and the ability to quickly apply or roll back patches are often sorely lacking.

Mitigations: Immediate and Longer-Term Recommendations​

Vendor Patching Roadmap​

Mitsubishi Electric notes that improved software and firmware versions are being prepared for a selection of their newer controller products:

• Planned Upgrades: AE-200J, AE-200A, AE-200E, AE-50J, AE-50A, AE-50E, EW-50J, EW-50A, EW-50E, TE-200A, TE-50A, TW-50A

Operators using products outside these lines should contact the vendor directly for lifecycle status and alternative mitigation guidance.

CISA and Vendor Recommended Defenses​

Mitsubishi Electric and CISA together recommend multi-layered strategies, summarized as follows:

• Network Segmentation: Restrict access to air conditioning systems from untrusted networks and hosts. Place all building automation and HVAC controllers on a secure, dedicated segment—not directly accessible from business networks or the public internet.
• Physical Security: Limit physical access to HVAC system devices, network junctions, and computers permitted to control them.
• Endpoint Hygiene: Apply antivirus software and ensure operating systems and browsers on connected computers are fully updated.
• Access Controls: Apply strong, unique credentials and disable unused or default system accounts where possible.
• System Monitoring: Regularly examine system logs for unauthorized access attempts or unplanned configuration changes.

Additional guidance—including “defense in depth” strategies for control systems and proactive defense of ICS assets—are detailed on the CISA and vendor websites, with technical papers offering checklists for audit and remediation.

Best Practices for Asset Owners​

For those managing affected systems, the following steps are strongly advised:

• Identify Affected Deployments: Inventory all Mitsubishi Electric devices and check against the published version numbers.
• Isolate and Patch: Apply available updates immediately or work with Mitsubishi Electric to receive mitigations. Where patching is not viable, enforce strict segmentation and monitor for anomalous activity.
• Document Baselines: Record configuration baselines and normal operation metrics to more rapidly detect and respond to suspicious changes.
• Train Personnel: Ensure facilities staff, IT, and OT personnel understand how to detect and escalate abnormal behavior on HVAC and associated control network segments.

Evaluating the Broader Industrial Cybersecurity Landscape​

Regulatory and Insurance Implications​

Large-scale vulnerabilities such as CVE-2025-3699 can carry contractual and legal ramifications, especially for entities in regulated industries or with mandated security compliance programs (e.g., hospitals under HIPAA, financial institutions governed by GLBA, or facilities subject to PCI-DSS for physical environment controls). Insurance providers increasingly scrutinize “cyber hygiene” measures, and organizations found to be running unpatched or poorly segmented HVAC infrastructure may face penalties or increased premiums.
Recent attacks targeting building management and environmental controls—like the high-profile breaches at data center facilities and city governments over the past three years—reflect a growing awareness that “physical IT” security is inextricably linked to broader cyber risk.

Coordinated Vulnerability Disclosure: A Model for Future Response​

The discovery and disclosure of this Mitsubishi Electric vulnerability provides a textbook case in responsible coordinated reporting and vendor response. Security researcher Mihály Csonka’s work, and the timely publication of detailed remediation instructions, likely forestalled malicious exploitation. Nevertheless, increased scrutiny of embedded systems in building automation remains warranted, as adversaries shift toward less obvious attack vectors and more subtle forms of system manipulation and disruption.
CISA’s advisories, combined with open-source contributions such as the Common Security Advisory Framework (CSAF), continue to standardize how vulnerabilities are analyzed, rated, and communicated. This, in turn, enables more rapid and consistent industry response.

Critical Analysis: Notable Strengths and Persistent Risks​

Mitsubishi Electric’s Response​

There is clear credit due to Mitsubishi Electric for the transparent publication of affected versions, as well as a concrete patching roadmap. Their security bulletin offers actionable and precise measures for owners and integrators of affected systems. The communication further eases risk management for organizations with diverse or distributed real estate holdings.

Systemic Risks and the Reality of Legacy Equipment​

However, several persistent risks warrant attention:

• Legacy Gaps: Many affected models may be too old to support firmware upgrades or have reached end of support, leaving organizations with “forever-day” vulnerabilities.
• Visibility and Asset Management: Many operators lack centralized inventory of embedded OT devices, making comprehensive assessment difficult, especially in multi-tenant or aging properties.
• Internet Exposure: According to data aggregated from Shodan and other internet scanning platforms, thousands of industrial HVAC and building automation controllers remain exposed to the public internet, often with little or no password protection—a trend that has only slowly improved despite repeated industry warnings.
• Supply Chain Dependencies: Integrators and subcontracted building managers may not receive timely information about vulnerabilities unless centralized policies exist for vulnerability management and threat intelligence sharing with facility tenants.

The Urgent Need for Industry-Wide Culture Shift​

As highlighted by the repeated targeting of ICS and OT networks in recent years, all entities—from individual building owners to global real estate conglomerates—must recognize that environmental control systems are not passive technologies. They represent both comfort and business continuity risks. Their protection, audit, and upgrade need to become standard practice within IT/OT cyber risk programs.

Conclusion: A Call for Proactive Security and Awareness​

The CVE-2025-3699 vulnerability affecting Mitsubishi Electric air conditioning systems serves as a clarion call for anyone responsible for facility management, enterprise IT, or industrial operational technology. The risk is both highly technical and deeply practical: the ability for unknown adversaries to manipulate climate, disrupt facility operations, and potentially create physical harm through cyber means has moved from speculative to real.
Organizations must not only apply immediate mitigations and vendor updates but also fundamentally reassess how building systems are inventoried, isolated, and protected over their (typically lengthy) life cycles. The convergence of comfort, operational safety, privacy, and cybersecurity demands that building automation controls are treated as first-class citizens in any risk management conversation.
By responding quickly to disclosed vulnerabilities and adopting a culture of security-first asset management, facility owners, operators, and IT security professionals can turn an urgent threat into an opportunity for resilience and leadership in the connected age.
For more information, and to access technical resources and updates, readers are encouraged to visit CISA’s official advisory and Mitsubishi Electric’s security bulletin.

---

Source: CISA Mitsubishi Electric Air Conditioning Systems | CISA