Critical vulnerability in Mitsubishi air conditioning systems: an attacker can remotely cool you down. 👨🏻💻🖳𖣘💨🥶
Security researcher Mihaly Csonka recently reported a critical vulnerability in Mitsubishi centralized air conditioning systems. CVE-2025-3699, which has a CVSS 4.0 score of 9.3 (Critical), is actually an authentication bypass vulnerability in the management software. More than 20 different models are affected.
We still do not have the technical details about the vulnerability, and I hope that a write-up about how it was found is on its way. But here we are - a critical vulnerability in air conditioning. The future is here!
Check the advisory from Mitsubishi (pretty good format and lots of details!), and if you have more information on this one, please share it (ethically, of course).
More details:
Authentication Bypass Vulnerability in Multiple Air Conditioning Systems [PDF]: https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-004_en.pdf
Mitsubishi Electric Air Conditioning Systems (Update A) [Advisory] https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01
