CVE-2025-3699
published 2025-06-26CVE-2025-3699: Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50…
PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.09%
61.2th percentile
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.
Affected
27 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mitsubishi_electric_corporation | ae-200a | — | — |
| mitsubishi_electric_corporation | ae-200e | — | — |
| mitsubishi_electric_corporation | ae-200j | — | — |
| mitsubishi_electric_corporation | ae-50a | — | — |
| mitsubishi_electric_corporation | ae-50e | — | — |
| mitsubishi_electric_corporation | ae-50j | — | — |
| mitsubishi_electric_corporation | ag-150a-a | — | — |
| mitsubishi_electric_corporation | ag-150a-j | — | — |
| mitsubishi_electric_corporation | cms-rmd-j | — | — |
| mitsubishi_electric_corporation | eb-50gu-a | — | — |
| mitsubishi_electric_corporation | eb-50gu-j | — | — |
| mitsubishi_electric_corporation | ew-50a | — | — |
| mitsubishi_electric_corporation | ew-50e | — | — |
| mitsubishi_electric_corporation | ew-50j | — | — |
| mitsubishi_electric_corporation | g-150ad | — | — |
| mitsubishi_electric_corporation | g-50 | — | — |
| mitsubishi_electric_corporation | g-50-w | — | — |
| mitsubishi_electric_corporation | g-50a | — | — |
| mitsubishi_electric_corporation | gb-24a | — | — |
| mitsubishi_electric_corporation | gb-50 | — | — |
| mitsubishi_electric_corporation | gb-50a | — | — |
| mitsubishi_electric_corporation | gb-50ad | — | — |
| mitsubishi_electric_corporation | gb-50ada-a | — | — |
| mitsubishi_electric_corporation | gb-50ada-j | — | — |
| mitsubishi_electric_corporation | te-200a | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Target devices are Mitsubishi Electric air conditioning central controllers (G-50, G-50A, GB-50, AE-200, AE-50, EW-50, TE-200, TE-50, TW-50, CMS-RMD-J, etc.) exposed on the network; monitor for unauthenticated HTTP/network requests to these devices that successfully reach privileged control or firmware update functions without prior authentication exchange. ↗
- →CVSS vector AV:N/AC:L/PR:N/UI:N indicates exploitation is fully remote, requires no privileges and no user interaction — alert on any unauthenticated network sessions that invoke critical control or firmware-related functions on affected Mitsubishi Electric HVAC controllers. ↗
- →CWE-306 (Missing Authentication for Critical Function) — detect network traffic reaching administrative/control endpoints on affected devices without any authentication headers or session tokens, particularly from untrusted external hosts. ↗
- ·Older/legacy models (G-50, G-50A, GB-50, GB-50A, GB-24A, G-150AD, AG-150A-A/J, GB-50AD, GB-50ADA-A/J, EB-50GU-A/J, CMS-RMD-J) have no access restriction setting available; network-level segmentation is the only mitigation for these devices. ↗
- ·No known public exploitation has been reported at time of advisory publication, but the vulnerability is rated CVSS 9.8 Critical and is exploitable with no authentication, no privileges, and no user interaction from the network. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
Mitsubishi Electric Air Conditioning Systems (Update B)
cisa_ics·2025-12-23·CVSS 9.8
[CRITICAL] Mitsubishi Electric Air Conditioning Systems (Update B)
ICS Advisory
##
Mitsubishi Electric Air Conditioning Systems (Update B)
Last RevisedDecember 23, 2025
Alert CodeICSA-25-177-01
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## Summary
Successful exploitation of this vulnerability could allow an attacker to bypass authentication to gain unauthorized control of the air conditioning system or access sensitive information stored in the system. The attacker may also use the disclosed sensitive information to tamper with the firmware of the affected products.
The following versions of Mitsubishi Electric Air Conditioning Systems (Update B) are affected:
- G-50 (CVE-2025-3699)
- G-50-W (CVE-2025-3699)
- G-50A (CVE-2025-3699)
- GB-50 (CVE-2025-3699)
- GB-50A (CV
GHSA
GHSA-73r7-73gp-j7mv: Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3
ghsa_unreviewed·2025-06-27
CVE-2025-3699 [CRITICAL] CWE-306 GHSA-73r7-73gp-j7mv: Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 Version 3.37 and prior, G-50-W Version 3.37 and prior, G-50A Version 3.37 and prior, GB-50 Version 3.37 and prior, GB-50A Version 3.37 and prior, GB-24A Version 9.12 and prior, G-150AD Version 3.21 and prior, AG-150A-A Version 3.21 and prior, AG-150A-J Version 3.21 and prior, GB-50AD Version 3.21 and prior, GB-50ADA-A Version 3.21 and prior, GB-50ADA-J Version 3.21 and prior, EB-50GU-A Version 7.11 and prior, EB-50GU-J Version 7.11 and prior, AE-200J Version 8.01 and prior, AE-200A Version 8.01 and prior, AE-200E Version 8.01 and prior, AE-50J Version 8.01 and prior, AE-50A Version 8.01 and prior, AE-50E Version 8.01 and prior, EW-50J Version 8.01 and prior, EW-50A Version 8.01 and prior, EW-
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-06-26
Published