Mitsubishi Electric Patches Vulnerabilities in Air Conditioning Systems


Advisories describing the vulnerabilities were published this month by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Mitsubishi Electric. SecurityWeek has also obtained additional information from people involved in the discovery and disclosure of these flaws.

One advisory describes a critical vulnerability that exposes the affected control systems to unauthenticated XML external entity injection (XXE) attacks. The issue is tracked as CVE-2021-20595 and has a CVSS score of 9.3.

Mitsubishi Electric patches vulnerabilities in AC controllersExploitation of the vulnerability can lead to denial of service (DoS) or information disclosure.