CVE-2025-3699 Mitsubishi Electric CVE debrief

Who should care

OT/ICS operators, building automation teams, facilities engineering, and security administrators responsible for Mitsubishi Electric air conditioning control systems should treat this as high priority. Organizations exposing these controllers to untrusted networks, using them through shared computers, or lacking physical access controls are especially relevant.

Technical summary

The advisory describes an authentication bypass with network-exploitable characteristics (CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). The impact is broad: unauthorized control, sensitive-information exposure, and potential downstream firmware tampering. The affected product set in Update B includes 27 Mitsubishi Electric models/families, with vendor fix versions explicitly listed for AE-200/AE-50, EW-50, TE-200/TE-50, and TW-50 variants at Ver. 8.03 or later. For the remaining affected products in the corpus, CISA lists mitigations and access-restriction guidance rather than a specific firmware version fix.

Defensive priority

Critical priority. Because the issue enables authentication bypass and can lead to control, data exposure, and firmware integrity risk, it should be handled as an urgent OT remediation item.

Recommended defensive actions

• Review the CISA CSAF advisory and Mitsubishi Electric security bulletin for the exact affected product/version mapping and verification steps.
• Apply vendor fixes where available: AE-200J/A/E, AE-50J/A/E, EW-50J/A/E, TE-200A, TE-50A, and TW-50A should be updated to Ver. 8.03 or later.
• For affected systems without a listed firmware fix in the advisory corpus, implement the vendor and CISA mitigations immediately.
• Restrict access to air conditioning systems from untrusted networks and hosts.
• Restrict physical access to the controllers, the computers that can reach them, and the connected network.
• Ensure computers used to access these systems are protected with up-to-date antivirus, operating system, and web browser software.
• Enable access restriction settings where supported, following section 6-3-3 of the Instruction Book – Initial Settings.
• Inventory exposed controllers and confirm whether any affected models are reachable from enterprise or remote-access networks; reduce exposure before applying updates or mitigations.

Evidence notes

This debrief is based only on the supplied CISA CSAF advisory (ICSA-25-177-01) and the official links included in the corpus. The source states that Update B (2025-12-23) changed affected products and mitigations. The advisory lists 27 affected product names and remediation guidance, including model-specific vendor fixes for a subset of products and general access-restriction mitigations for all affected products. No KEV entry or ransomware-campaign flag is present in the supplied data.

Official resources