CVE-2025-3699CRITICAL 9.8EPSS p61.3%

CVE-2025-3699CVE-2025-3699

Description

Missing Authentication for Critical Function vulnerability in Mitsubishi Electric Corporation G-50 all versions, G-50-W all versions, G-50A all versions, GB-50 all versions, GB-50A all versions, GB-24A all versions, G-150AD all versions, AG-150A-A all versions, AG-150A-J all versions, GB-50AD all versions, GB-50ADA-A all versions, GB-50ADA-J all versions, EB-50GU-A all versions, EB-50GU-J all versions, AE-200J all versions, AE-200A all versions, AE-200E all versions, AE-50J all versions, AE-50A all versions, AE-50E all versions, EW-50J all versions, EW-50A all versions, EW-50E all versions, TE-200A all versions, TE-50A all versions, TW-50A all versions, and CMS-RMD-J all versions allows a remote unauthenticated attacker to bypass authentication and then control the air conditioning systems illegally, or disclose information in them by exploiting this vulnerability. In addition, the attacker may tamper with firmware for them using the disclosed information.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.10% probability of exploitation · percentile 61.3% · 2026-06-19T12:03:05Z
Published2025-06-26
Last modified2026-04-15

Underlying weaknesses· 1

CWE-306

References

  1. https://jvn.jp/vu/JVNVU96471539/
  2. https://www.cisa.gov/news-events/ics-advisories/icsa-25-177-01
  3. https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-004_en.pdf

1

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-3128
CVE
CVE-2025-10127
CVE
CVE-2025-3755
CVE
CVE-2025-27256
CVE
CVE-2022-24946
CVE
CVE-2025-3090
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.