Mitsubishi Electric disclosed a critical authentication bypass vulnerability affecting 27 air conditioning system models. The vulnerability, CVE-2025-3699, allows remote attackers to gain unauthorized control over building HVAC systems. Attackers can control air conditioning systems, access sensitive information, and tamper with firmware. The attack requires no user interaction and can be executed remotely, making it particularly dangerous. The vulnerability affects a wide range of Mitsubishi Electric air conditioning systems, posing significant risks to commercial buildings and industrial facilities.
Source: https://cybersecuritynews.com/mitsubishi-electric-ac-systems-vulnerability/
TPRM report: https://scoringcyber.rankiteo.com/company/metushvac
"id": "met623062825",
"linkid": "metushvac",
"type": "Vulnerability",
"date": "6/2025",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'industry': 'HVAC',
'name': 'Mitsubishi Electric',
'type': 'Manufacturer'}],
'attack_vector': 'Remote',
'description': 'Mitsubishi Electric has disclosed a critical authentication '
'bypass vulnerability affecting 27 different air conditioning '
'system models, potentially allowing remote attackers to gain '
'unauthorized control over building HVAC systems.',
'impact': {'systems_affected': ['Air conditioning systems']},
'post_incident_analysis': {'root_causes': ['Missing Authentication for '
'Critical Function']},
'recommendations': ['Implement robust security practices in industrial and '
'commercial environments',
'Assess network configurations',
'Implement recommended security measures'],
'response': {'containment_measures': ['Restricting network access from '
'untrusted sources',
'Limiting physical access to systems '
'and connected infrastructure',
'Maintaining updated antivirus software '
'and web browsers']},
'title': 'Mitsubishi Electric Air Conditioning System Authentication Bypass '
'Vulnerability',
'type': 'Vulnerability',
'vulnerability_exploited': 'CVE-2025-3699'}