CVE-2025-5022
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-07-10

Last updated on: 2025-09-19

Assigner: Mitsubishi Electric Corporation

Description
Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. In addition, if the product is configured to enable the individual air conditioner control function, an attacker who has access to the Wi-Fi communication between the units by exploiting this vulnerability may be able to execute ECHONET Lite commands to perform operations such as turning the air conditioner on or off and changing the set temperature. The individual air conditioner control function is available only in display unit version 02.00.01 or later and measurement unit version 02.03.01 or later. The affected products discontinued in 2015, support ended in 2020.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-10
Last Modified
2025-09-19
Generated
2026-05-27
AI Q&A
2025-07-10
EPSS Evaluated
2026-05-25
NVD
CVE-2025-5022
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
mitsubishi_electric ecoguide_tab 02.00.01
mitsubishi_electric ecoguide_tab 02.03.01
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-521 The product does not require that users should have strong passwords.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a Weak Password Requirements issue in Mitsubishi Electric Corporation's photovoltaic system monitor "EcoGuideTAB" models PV-DR004J and PV-DR004JA. An attacker within Wi-Fi range between the measurement and display units can derive the password from the SSID. The vulnerability does not affect the product when it is unused for 5 minutes and enters power-saving mode with the display unit's LCD screen off.


How can this vulnerability impact me? :

An attacker within Wi-Fi range could derive the password from the SSID, potentially allowing unauthorized access to the photovoltaic system monitor's communication. This could lead to exposure of sensitive information or unauthorized monitoring, but the vulnerability does not impact the system if it is in power-saving mode after 5 minutes of inactivity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, ensure that the affected Mitsubishi Electric photovoltaic system monitor units are not within Wi-Fi communication range of potential attackers. Additionally, allow the product to enter its power-saving mode by leaving it unused for the default period (5 minutes), which disables the vulnerability. Since the affected products were discontinued in 2015 and support ended in 2020, consider replacing them with supported and updated devices.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart