The U.S. government is warning organizations to check their operational technology (OT) networks following the disclosure of new vulnerabilities in industrial control system (ICS) hardware.The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) said that administrators should check for a patch for a vulnerability in the Mitsubishi Electric air conditioning controller line of ICS hardware that has been given a CVSS score of 9.3, considered to be a critical risk.According to the CISA alert, the flaw could allow for remote takeover of a vulnerable controller. Designated CVE-2025-3699, the vulnerability stems from an authentication error that could allow an attacker to bypass login checks.“An attacker may bypass authentication to control the air conditioning systems illegally or disclose information from them by exploiting this vulnerability,” CISA said in discussing the details of the vulnerability.“In addition, the attacker may tamper with the firmware of the affected products using the disclosed information.”According to the U.S. cybersecurity authority, the vulnerability is present in some 26 different models of Mitsubishi Electric industrial controllers, all of which are associated with air conditioning systems.For those in more temperate climates, tampering with an industrial controller for an air conditioning system would be little more than a minor annoyance. With much of the U.S. entering the hottest months of the year, however, in warmer climates the loss of air conditioning could pose a safety risk, particularly if those controllers are also connected to refrigeration and cooling systems.More importantly, there is the risk that vulnerable ICS hardware could provide an attacker with the ability to conduct lateral movement. Threat actors often pounce on a vulnerable appliance or device that itself would be of little importance only to use those compromised devices as a foothold access other, more valuable systems on a network.This is particularly important in the case of ICS hardware, which often gets overlooked for regular patches and updates. Such systems, if compromised, would allow threat actors to gain access to vital hardware within the operational technology (OT) network in critical infrastructure facilities.“To minimize the exploitation risk of this vulnerability, make sure air conditioning systems are configured correctly as recommended by Mitsubishi Electric,” CISA advises.“CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.”
Critical Infrastructure Security, Security Operations, Patch/Configuration Management
CISA warns of flaws in Mitsubishi Electronics ICS hardware
(Adobe Stock)
Shaun Nichols
A career IT news journalist, Shaun has spent 17 years covering the industry with a specialty in the cybersecurity field.
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds