CVE-2025-3699 is a critical vulnerability identified in multiple versions of Mitsubishi Electric Corporation's G-50 series air conditioning control systems and related models. The core issue is a Missing Authentication for Critical Function (CWE-306), which allows a remote, unauthenticated attacker to bypass authentication mechanisms entirely. This vulnerability affects a wide range of product versions including G-50, G-50-W, G-50A, GB-50, GB-50A, GB-24A, G-150AD, AG-150A-A/J, GB-50AD, GB-50ADA-A/J, EB-50GU-A/J, AE-200J/A/E, AE-50J/A/E, EW-50J/A/E, TE-200A, TE-50A, TW-50A, and CMS-RMD-J, all at or below specified version thresholds (mostly version 3.37 or 8.01 and prior). The vulnerability enables attackers to remotely access and control the air conditioning systems without any authentication, which can lead to unauthorized control over HVAC operations. Additionally, attackers may disclose sensitive information stored within these systems and potentially tamper with firmware using the leaked data, escalating the risk to system integrity and availability. The CVSS v3.1 base score is 9.8, indicating a critical severity with network attack vector, low attack complexity, no privileges required, no user interaction, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the vulnerability's nature and severity make it a high-risk target for attackers seeking to disrupt or manipulate critical building infrastructure. The lack of authentication on critical functions represents a fundamental security design flaw, potentially allowing attackers to manipulate environmental controls, cause operational disruptions, or use the compromised devices as pivot points for further network intrusion.

For European organizations, this vulnerability poses significant risks, especially for those in sectors relying heavily on Mitsubishi Electric's G-50 series HVAC systems, such as commercial real estate, manufacturing, healthcare, and data centers. Unauthorized control over air conditioning systems can lead to physical discomfort, damage to sensitive equipment due to improper temperature or humidity control, and operational downtime. Disclosure of sensitive system information and firmware tampering could enable persistent backdoors or further exploitation, increasing the attack surface within corporate networks. In critical infrastructure or healthcare facilities, disruption of HVAC systems could impact safety and compliance with environmental regulations. Moreover, compromised HVAC systems could be leveraged as entry points for lateral movement within enterprise networks, potentially exposing confidential data and critical systems. The critical severity and ease of exploitation without authentication make this a pressing concern for European organizations to address promptly to avoid operational, financial, and reputational damage.

Given the critical nature of this vulnerability, European organizations should take immediate and specific mitigation steps beyond generic advice: 1) Inventory and identify all Mitsubishi Electric G-50 series and related HVAC systems within their environment, including exact versions. 2) Engage with Mitsubishi Electric for official patches or firmware updates addressing CVE-2025-3699; if no patches are yet available, request timelines and interim guidance. 3) Implement network segmentation to isolate HVAC control systems from general enterprise networks and the internet, restricting access to trusted management stations only. 4) Deploy strict access control lists (ACLs) and firewall rules to block unauthorized inbound traffic to these devices, especially from untrusted or external sources. 5) Monitor network traffic for anomalous access attempts or unusual commands targeting HVAC systems, using IDS/IPS solutions tuned for industrial control protocols. 6) Consider deploying multi-factor authentication or additional gateway authentication mechanisms where possible to add layers beyond the vulnerable device authentication. 7) Conduct regular security audits and penetration tests focusing on building management systems to detect exploitation attempts early. 8) Develop and rehearse incident response plans specific to HVAC system compromise scenarios to minimize downtime and impact. 9) Educate facility management and IT teams about this vulnerability and the importance of securing building automation systems. These targeted actions will help reduce exposure and mitigate the risk until official patches are deployed.