Missing Authentication Vulnerability in Mitsubishi Electric Air Conditioning Products
CVE-2025-3699

9.8CRITICAL

Key Information:

Vendor: Mitsubishi Electric Corporation
Status: G-50; G-50-w; G-50a; Gb-50
Vendor: CVE Published:; 26 June 2025

🔔 Create Mitsubishi Electric Corporation Vulnerability Alert

What is CVE-2025-3699?

A missing authentication vulnerability exists in various Mitsubishi Electric air conditioning products, allowing a remote, unauthenticated attacker to bypass critical authentication mechanisms. This flaw enables unauthorized control over the air conditioning systems as well as the potential to access and disclose sensitive information. Furthermore, attackers can exploit this vulnerability to manipulate firmware components of the affected systems, posing significant security risks and operational disruptions.

Affected Version(s)

AE-200A Ver.8.01 and prior

AE-200E Ver.8.01 and prior

AE-200J Ver.8.01 and prior

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...

vendor-advisory

https://jvn.jp/vu/JVNVU96471539/

government-resource

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
Apr 16, 2025