CVE-2025-3699

Summary

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.

Affected Software

VendorProductVersion RangeStatus
Mitsubishi Electric CorporationG-50All versionsaffected
Mitsubishi Electric CorporationG-50-WAll versionsaffected
Mitsubishi Electric CorporationG-50AAll versionsaffected
Mitsubishi Electric CorporationGB-50All versionsaffected
Mitsubishi Electric CorporationGB-50AAll versionsaffected
Mitsubishi Electric CorporationGB-24AAll versionsaffected
Mitsubishi Electric CorporationG-150ADAll versionsaffected
Mitsubishi Electric CorporationAG-150A-AAll versionsaffected
Mitsubishi Electric CorporationAG-150A-JAll versionsaffected
Mitsubishi Electric CorporationGB-50ADAll versionsaffected
Mitsubishi Electric CorporationGB-50ADA-AAll versionsaffected
Mitsubishi Electric CorporationGB-50ADA-JAll versionsaffected
Mitsubishi Electric CorporationEB-50GU-AAll versionsaffected
Mitsubishi Electric CorporationEB-50GU-JAll versionsaffected
Mitsubishi Electric CorporationAE-200JAll versionsaffected
Mitsubishi Electric CorporationAE-200AAll versionsaffected
Mitsubishi Electric CorporationAE-200EAll versionsaffected
Mitsubishi Electric CorporationAE-50JAll versionsaffected
Mitsubishi Electric CorporationAE-50AAll versionsaffected
Mitsubishi Electric CorporationAE-50EAll versionsaffected
Mitsubishi Electric CorporationEW-50JAll versionsaffected
Mitsubishi Electric CorporationEW-50AAll versionsaffected
Mitsubishi Electric CorporationEW-50EAll versionsaffected
Mitsubishi Electric CorporationTE-200AAll versionsaffected
Mitsubishi Electric CorporationTE-50AAll versionsaffected
Mitsubishi Electric CorporationTW-50AAll versionsaffected
Mitsubishi Electric CorporationCMS-RMD-JAll versionsaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: total

References