Mitsubishi Electric AC Systems Vulnerability Allows Remote Control Without User Interaction

Organizations using affected Mitsubishi Electric air conditioning systems should immediately assess their network configurations and implement recommended security measures to prevent potential exploitation of this critical vulnerability. Mitsubishi Electric has disclosed a critical authentication bypass vulnerability affecting 27 different air conditioning system models, potentially allowing remote attackers to gain unauthorized control over building HVAC systems. The vulnerability affects a comprehensive range of Mitsubishi Electric air conditioning systems, including the G-50 series, GB-50 series, AE-200 and AE-50 series, EW-50 series, and various other models. For immediate protection, Mitsubishi Electric recommends implementing several mitigation strategies: restricting network access from untrusted sources, limiting physical access to systems and connected infrastructure, and maintaining updated antivirus software and web browsers on computers used to manage these systems. Security researcher Mihály Csonka discovered and reported the vulnerability to Mitsubishi Electric, highlighting the collaborative effort between the security community and manufacturers to identify and address critical infrastructure vulnerabilities. All affected systems running firmware versions 3.37 and prior (for G-series models), 9.12 and prior (for GB-24A), 3.21 and prior (for G-150AD and related models), 7.11 and prior (for EB-50GU models), 8.01 and prior (for AE/EW/TE/TW series), and 1.40 and prior (for CMS-RMD-J) are vulnerable to this attack vector. The company emphasized that their air conditioning systems are designed for use within secure intranet environments or networks protected by VPN infrastructure, highlighting the importance of proper network segmentation and access controls. As critical systems become increasingly connected, the potential for remote exploitation grows, emphasizing the need for robust security practices in industrial and commercial environments. The broad scope of affected products underscores the potential impact on commercial buildings, industrial facilities, and other environments where these systems are deployed for climate control and building automation. The vulnerability poses the greatest risk in improperly configured environments where air conditioning systems are directly accessible from the internet without VPN protection. Once exploited, malicious actors can illegally control air conditioning systems, access sensitive information, and even tamper with firmware using disclosed data.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 02:30:14 +0000