Mitsubishi Electric Air Conditioning Systems (Update B)

Risk Summary

Successful exploitation of this vulnerability could allow an attacker to bypass authentication to gain unauthorized control of the air conditioning system or access sensitive information stored in the system. The attacker may also use the disclosed sensitive information to tamper with the firmware of the affected products.

CVEs (1)

Remediations

• To minimize the risk of exploitation, ensure that air conditioning systems are configured according to Mitsubishi Electric's recommendations. Mitsubishi Electric recommends taking the following mitigation measures:
• Restrict access to air conditioning systems from untrusted networks and hosts.
• Restrict physical access to air conditioning systems, computers which can access them, and the network which is connected to them.
• Use antivirus software and ensure that the operating system and web browser are updated to the latest versions on computers that connect to air conditioning systems.
• Access restriction settings are available for the following models and versions. Depending on your environment, Mitsubishi Electric recommends enabling these settings to block access from untrusted hosts. Refer to section 6-3-3, ‘Access Restriction Settings,' in the Instruction Book – Initial Settings for usage instructions.
• The following models and versions support access restriction settings:
• AE-200J Ver.8.03 or later
• AE-200A Ver.8.03 or later
• AE-200E Ver.8.03 or later
• AE-50J Ver.8.03 or later
• AE-50A Ver.8.03 or later
• AE-50E Ver.8.03 or later
• EW-50J Ver.8.03 or later
• EW-50A Ver.8.03 or later
• EW-50E Ver.8.03 or later
• TE-200A Ver.8.03 or later
• TE-50A Ver.8.03 or later
• TW-50A Ver.8.03 or later
• Refer to Mitsubishi Electric's security bulletin for more information, including instructions for verifying the product version.

Affected Vendors

Affected Products (27)

Affected Sectors

Commercial Facilities