Mitsubishi warns of AC controller vulnerability
28th June 2025
JAPAN: Mitsubishi Electric has warned of a vulnerability in some of its multiple air conditioning controllers which could allow an attacker to bypass authentication.
By exploiting the vulnerability. Mitsubishi Electric warns that an attacker could control the air conditioning systems illegally, or disclose information in them. In addition, the attacker could tamper with firmware for the affected products using the disclosed information.
The vulnerability, which is said to to affect 27 controller models, has been reported to the USA’s cyber defence agency CISA. It has been assigned a CVSS v3.1 base score of 9.8, a critical vulnerability with the highest possible severity.
The models affected are:
G-50: Ver 3.37 and prior
G-50-W: Ver 3.37 and prior
G-50A: Ver 3.37 and prior
GB-50: Ver 3.37 and prior
GB-50A: Ver 3.37 and prior
GB-24A: Ver 9.12 and prior
G-150AD: Ver 3.21 and prior
AG-150A-A: Ver 3.21 and prior
AG-150A-J: Ver 3.21 and prior
GB-50AD: Ver.3 21 and prior
GB-50ADA-A: Ver 3.21 and prior
GB-50ADA-J: Ver 3.21 and prior
EB-50GU-A: Ver 7.11 and prior
EB-50GU-J: Ver 7.11 and prior
AE-200J: Ver 8.01 and prior
AE-200A: Ver 8.01 and prior
AE-200E: Ver 8.01 and prior
AE-50J: Ver 8.01 and prior
AE-50A: Ver 8.01 and prior
AE-50E: Ver 8.01 and prior
EW-50J: Ver 8.01 and prior
EW-50A: Ver 8.01 and prior
EW-50E: Ver 8.01 and prior
TE-200A: Ver 8.01 and prior
TE-50A: Ver 8.01 and prior
TW-50A: Ver 8.01 and prior
CMS-RMD-J: Ver 1.40 and prior.
To minimise the risk, Mitsubishi Electric advises that users should make sure that the air conditioning system is configured as recommended by Mitsubishi Electric. It also recommends restricting access to an affected air conditioning system from untrusted networks and hosts and restricting physical access to the system. It also advises using an anti-virus software and update the OS and the web browser to the latest version on the connected computer.
Further information is contained in this release from Mitsubishi Electric.
