Mitsubishi Electric Air Conditioning Systems

View CSAF

1. EXECUTIVE SUMMARY

• CVSS v4 9.3
• ATTENTION: Exploitable remotely/low attack complexity
• Vendor: Mitsubishi Electric
• Equipment: Air conditioning systems
• Vulnerability: Missing Authentication for Critical Function

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to control the air conditioning system.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Mitsubishi Electric reports the following air conditioning systems are affected:

• G-50: Ver.3.37 and prior
• G-50-W: Ver.3.37 and prior
• G-50A: Ver.3.37 and prior
• GB-50: Ver.3.37 and prior
• GB-50A: Ver.3.37 and prior
• GB-24A: Ver.9.12 and prior
• G-150AD: Ver.3.21 and prior
• AG-150A-A: Ver.3.21 and prior
• AG-150A-J: Ver.3.21 and prior
• GB-50AD: Ver.3.21 and prior
• GB-50ADA-A: Ver.3.21 and prior
• GB-50ADA-J: Ver.3.21 and prior
• EB-50GU-A: Ver.7.11 and prior
• EB-50GU-J: Ver.7.11 and prior
• AE-200J: Ver.8.01 and prior
• AE-200A: Ver.8.01 and prior
• AE-200E: Ver.8.01 and prior
• AE-50J: Ver.8.01 and prior
• AE-50A: Ver.8.01 and prior
• AE-50E: Ver.8.01 and prior
• EW-50J: Ver.8.01 and prior
• EW-50A: Ver.8.01 and prior
• EW-50E: Ver.8.01 and prior
• TE-200A: Ver.8.01 and prior
• TE-50A: Ver.8.01 and prior
• TW-50A: Ver.8.01 and prior
• CMS-RMD-J: Ver.1.40 and prior

3.2 VULNERABILITY OVERVIEW

3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306

An authentication bypass vulnerability exists in Mitsubishi Electric air conditioning systems. An attacker may bypass authentication to control the air conditioning systems illegally or disclose information from them by exploiting this vulnerability. In addition, the attacker may tamper with the firmware of the affected produ

[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.