cbcvebase.
CVE-2025-3699
published 2025-06-26

CVE-2025-3699: Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50…

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
1.09%
61.2th percentile
Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.

Affected

27 ranges· showing 25
VendorProductVersion rangeFixed in
mitsubishi_electric_corporationae-200a
mitsubishi_electric_corporationae-200e
mitsubishi_electric_corporationae-200j
mitsubishi_electric_corporationae-50a
mitsubishi_electric_corporationae-50e
mitsubishi_electric_corporationae-50j
mitsubishi_electric_corporationag-150a-a
mitsubishi_electric_corporationag-150a-j
mitsubishi_electric_corporationcms-rmd-j
mitsubishi_electric_corporationeb-50gu-a
mitsubishi_electric_corporationeb-50gu-j
mitsubishi_electric_corporationew-50a
mitsubishi_electric_corporationew-50e
mitsubishi_electric_corporationew-50j
mitsubishi_electric_corporationg-150ad
mitsubishi_electric_corporationg-50
mitsubishi_electric_corporationg-50-w
mitsubishi_electric_corporationg-50a
mitsubishi_electric_corporationgb-24a
mitsubishi_electric_corporationgb-50
mitsubishi_electric_corporationgb-50a
mitsubishi_electric_corporationgb-50ad
mitsubishi_electric_corporationgb-50ada-a
mitsubishi_electric_corporationgb-50ada-j
mitsubishi_electric_corporationte-200a

Detection & IOCsextracted from sources · hover to see the quote

  • Target devices are Mitsubishi Electric air conditioning central controllers (G-50, G-50A, GB-50, AE-200, AE-50, EW-50, TE-200, TE-50, TW-50, CMS-RMD-J, etc.) exposed on the network; monitor for unauthenticated HTTP/network requests to these devices that successfully reach privileged control or firmware update functions without prior authentication exchange.
  • CVSS vector AV:N/AC:L/PR:N/UI:N indicates exploitation is fully remote, requires no privileges and no user interaction — alert on any unauthenticated network sessions that invoke critical control or firmware-related functions on affected Mitsubishi Electric HVAC controllers.
  • CWE-306 (Missing Authentication for Critical Function) — detect network traffic reaching administrative/control endpoints on affected devices without any authentication headers or session tokens, particularly from untrusted external hosts.
  • ·Older/legacy models (G-50, G-50A, GB-50, GB-50A, GB-24A, G-150AD, AG-150A-A/J, GB-50AD, GB-50ADA-A/J, EB-50GU-A/J, CMS-RMD-J) have no access restriction setting available; network-level segmentation is the only mitigation for these devices.
  • ·No known public exploitation has been reported at time of advisory publication, but the vulnerability is rated CVSS 9.8 Critical and is exploitable with no authentication, no privileges, and no user interaction from the network.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.