Executive Summary

A critical vulnerability, identified as CVE-2025-3699 with a CVSS v3 score of 9.8, affects a wide range of Mitsubishi Electric Air Conditioning Systems deployed worldwide within the Commercial Facilities sector. The vulnerability stems from a “Missing Authentication for Critical Function,” which could allow a remote attacker to bypass authentication entirely. Successful exploitation could lead to unauthorised control of the air conditioning system, access to sensitive stored information, and the potential for an attacker to use that information to tamper with the firmware of affected products. As of the latest advisory revision on December 23, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) has not received reports of any known public exploitation specifically targeting this vulnerability. CISA recommends that organisations perform impact analysis and risk assessments before deploying defensive measures and consult established industrial control systems (ICS) cybersecurity best practices.

Vulnerability Details

The core issue detailed in advisory ICSA-25-177-01 is a severe authentication flaw affecting numerous industrial control systems.

• Identifier: CVE-2025-3699
• Description: Missing Authentication for Critical Function
• CVSS v3 Score: 9.8 (Critical)

Potential Impact

According to the CISA advisory, the consequences of a successful exploit are significant. An attacker could achieve the following:

“bypass authentication to gain unauthorised control of the air conditioning system or access sensitive information stored in the system. The attacker may also use the disclosed sensitive information to tamper with the firmware of the affected products.”

This grants an unauthorised user high-level control and access, posing a substantial risk to system integrity and operational security.

Affected Systems

The vulnerability impacts a broad portfolio of Mitsubishi Electric products used globally in commercial facilities.

• Vendor: Mitsubishi Electric
• Headquarters: Japan
• Sector: Commercial Facilities
• Deployment: Worldwide

Affected Product Models

The following 27 product versions are confirmed to be affected by CVE-2025-3699:

Threat & Exploitation Status

As of the last revision of the advisory, there is no evidence of active, public exploitation targeting this specific vulnerability. The advisory states:

“No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.”

CISA Recommendations & Mitigation Guidance

CISA advises organisations using the affected products to take proactive and defensive measures to minimise risk. The core recommendations include:

• Perform Risk Assessment: Organisations should conduct a thorough impact analysis and risk assessment before deploying any defensive measures.
• Implement Defensive Strategies: CISA recommends users implement defensive measures to reduce the risk of exploitation.
• Follow ICS Best Practices: Organisations are encouraged to implement recommended cybersecurity strategies for the proactive defense of ICS assets. CISA provides extensive guidance on its Industrial Control Systems webpage (cisa.gov/ics). 
• Consult CISA Resources: Two specific documents are highlighted for further guidance:
  • Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies
  • ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies
• Report Suspicious Activity: Any suspected malicious activity should be reported to CISA for tracking and correlation with other incidents, following established internal procedures.

Advisory Metadata

• Alert Code: ICSA-25-177-01
• Discovery: The vulnerability was reported to Mitsubishi Electric by Mihály Csonka.
• Last Revised: December 23, 2025

Revision History

The advisory has been updated twice since its initial publication, indicating evolving information about the vulnerability.