Security News > 2021 > July > Mitsubishi Electric Patches Vulnerabilities in Air Conditioning Systems

Mitsubishi Electric recently patched critical and high-severity vulnerabilities affecting many of its air conditioning products, mainly centralized controllers.

Advisories describing the vulnerabilities were published this month by the U.S. Cybersecurity and Infrastructure Security Agency and Mitsubishi Electric.

One advisory describes a critical vulnerability that exposes the affected control systems to unauthenticated XML external entity injection attacks.

McGreehan told SecurityWeek, "This is an easy vulnerability to exploit, a standard XXE, and probably the most serious thing would be taking the controllers offline by invoking DoS conditions on them."

"This vulnerability allows a low privileged user to access an administrator page of MITSUBISHI Central Controller EW-50A or AE-200A Web Browser Interface. It requires the ability to login as a low privileged user," said Dustin Childs, communications manager at ZDI. Childs explained that an attacker could use the vulnerability to escalate privileges from "Guest" to "Administrator," which would give them complete control of the system.

In addition to patches, Mitsubishi Electric has made available mitigations, as well as instructions for checking a device's version number to see if it's affected by the vulnerabilities.

News URL

http://feedproxy.google.com/~r/securityweek/~3/492LoMA7Bso/mitsubishi-electric-patches-vulnerabilities-air-conditioning-systems