CVE-2025-3699

Published: Jun 26, 2025

Modified: Dec 23, 2025

PUBLISHED

CVSS v3.1

9.8

CRITICAL

Description

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.

Vendor	Product	Versions
Mitsubishi Electric Corporation	G-50	affected `All versions`
Mitsubishi Electric Corporation	G-50-W	affected `All versions`
Mitsubishi Electric Corporation	G-50A	affected `All versions`
Mitsubishi Electric Corporation	GB-50	affected `All versions`
Mitsubishi Electric Corporation	GB-50A	affected `All versions`
Mitsubishi Electric Corporation	GB-24A	affected `All versions`
Mitsubishi Electric Corporation	G-150AD	affected `All versions`
Mitsubishi Electric Corporation	AG-150A-A	affected `All versions`
Mitsubishi Electric Corporation	AG-150A-J	affected `All versions`
Mitsubishi Electric Corporation	GB-50AD	affected `All versions`
Mitsubishi Electric Corporation	GB-50ADA-A	affected `All versions`
Mitsubishi Electric Corporation	GB-50ADA-J	affected `All versions`
Mitsubishi Electric Corporation	EB-50GU-A	affected `All versions`
Mitsubishi Electric Corporation	EB-50GU-J	affected `All versions`
Mitsubishi Electric Corporation	AE-200J	affected `All versions`
Mitsubishi Electric Corporation	AE-200A	affected `All versions`
Mitsubishi Electric Corporation	AE-200E	affected `All versions`
Mitsubishi Electric Corporation	AE-50J	affected `All versions`
Mitsubishi Electric Corporation	AE-50A	affected `All versions`
Mitsubishi Electric Corporation	AE-50E	affected `All versions`
Mitsubishi Electric Corporation	EW-50J	affected `All versions`
Mitsubishi Electric Corporation	EW-50A	affected `All versions`
Mitsubishi Electric Corporation	EW-50E	affected `All versions`
Mitsubishi Electric Corporation	TE-200A	affected `All versions`
Mitsubishi Electric Corporation	TE-50A	affected `All versions`
Mitsubishi Electric Corporation	TW-50A	affected `All versions`
Mitsubishi Electric Corporation	CMS-RMD-J	affected `All versions`

Weaknesses (CWE)

CWE-306

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-004_en.pdf

vendor-advisory

https://jvn.jp/vu/JVNVU96471539/

government-resource

https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01

government-resource

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-3699

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References