CVE-2025-3699
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Mitsubishi Electric Corporation | G-50 | All versions | affected |
| Mitsubishi Electric Corporation | G-50-W | All versions | affected |
| Mitsubishi Electric Corporation | G-50A | All versions | affected |
| Mitsubishi Electric Corporation | GB-50 | All versions | affected |
| Mitsubishi Electric Corporation | GB-50A | All versions | affected |
| Mitsubishi Electric Corporation | GB-24A | All versions | affected |
| Mitsubishi Electric Corporation | G-150AD | All versions | affected |
| Mitsubishi Electric Corporation | AG-150A-A | All versions | affected |
| Mitsubishi Electric Corporation | AG-150A-J | All versions | affected |
| Mitsubishi Electric Corporation | GB-50AD | All versions | affected |
| Mitsubishi Electric Corporation | GB-50ADA-A | All versions | affected |
| Mitsubishi Electric Corporation | GB-50ADA-J | All versions | affected |
| Mitsubishi Electric Corporation | EB-50GU-A | All versions | affected |
| Mitsubishi Electric Corporation | EB-50GU-J | All versions | affected |
| Mitsubishi Electric Corporation | AE-200J | All versions | affected |
| Mitsubishi Electric Corporation | AE-200A | All versions | affected |
| Mitsubishi Electric Corporation | AE-200E | All versions | affected |
| Mitsubishi Electric Corporation | AE-50J | All versions | affected |
| Mitsubishi Electric Corporation | AE-50A | All versions | affected |
| Mitsubishi Electric Corporation | AE-50E | All versions | affected |
| Mitsubishi Electric Corporation | EW-50J | All versions | affected |
| Mitsubishi Electric Corporation | EW-50A | All versions | affected |
| Mitsubishi Electric Corporation | EW-50E | All versions | affected |
| Mitsubishi Electric Corporation | TE-200A | All versions | affected |
| Mitsubishi Electric Corporation | TE-50A | All versions | affected |
| Mitsubishi Electric Corporation | TW-50A | All versions | affected |
| Mitsubishi Electric Corporation | CMS-RMD-J | All versions | affected |
Weaknesses
- CWE-306: CWE-306 Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-004_en.pdf
- https://jvn.jp/vu/JVNVU96471539/
- https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.