Compliance Impact

The vulnerability allows an attacker within Wi-Fi range to access device data such as operation status and temperature settings, change device or Wi-Fi settings, or cause denial-of-service conditions. However, the affected products do not store personal data, so this vulnerability does not directly expose personal information.

Because no personal data is exposed, the vulnerability is less likely to directly impact compliance with data protection regulations such as GDPR or HIPAA, which focus on the protection of personal and sensitive information.

Nevertheless, the ability to tamper with device settings or cause denial-of-service could have indirect effects on operational security and availability, which may be relevant under certain regulatory frameworks depending on the context of use.

Useful 0 Not Useful 0

Executive Summary

CVE-2026-5667 is a vulnerability in multiple Mitsubishi Electric home appliances caused by the use of hard-coded credentials. This means that certain Wi-Fi-enabled products have a fixed SSID and password embedded in them, which an attacker within Wi-Fi range can use to gain unauthorized access.

Affected products include room air conditioners, wireless LAN adapters, refrigerators, heat pump water heaters, bathroom dryers, ventilation systems, smart switches, IH cooking heaters, and rice cookers, primarily for the Japanese market but also outside Japan.

An attacker exploiting this vulnerability can access device data such as operation status, room set temperature, and room temperature; change air-conditioner or Wi-Fi settings; or cause Wi-Fi communication to enter a denial-of-service (DoS) condition.

The vulnerability specifically affects devices that have never been connected to a router or were reset to factory defaults without proper reconfiguration.

Useful 0 Not Useful 0

Impact Analysis

If you have an affected Mitsubishi Electric device within Wi-Fi range, an attacker could exploit this vulnerability to:

• Obtain device data such as operation status, room set temperature, and room temperature.
• Modify air-conditioner or Wi-Fi settings, potentially disrupting normal operation.
• Cause Wi-Fi communication to enter a denial-of-service (DoS) state, making the device unavailable over the network.

However, the vulnerability does not expose personal data, as the affected products do not store such information.

To mitigate the risk, users should disable Wi-Fi if not in use or connect the device to a router and update the adapter software to version 43.00 or later.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves the use of hard-coded SSID and password in affected Mitsubishi Electric Wi-Fi-enabled products. Detection involves identifying devices broadcasting or connected using these default credentials within your Wi-Fi range.

You can scan your wireless network for devices broadcasting the known hard-coded SSID or attempt to connect using the known default password to verify if the device is vulnerable.

Specific commands are not provided in the available resources, but general network scanning tools such as 'nmap' or 'iwlist' on Linux can be used to detect Wi-Fi devices and their SSIDs.

• Use 'iwlist scan' to list available Wi-Fi networks and identify suspicious SSIDs.
• Use 'nmap' to scan for devices on your network that may correspond to affected products.
• Attempt to connect to the device using the known hard-coded SSID and password to confirm vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, users should either disable Wi-Fi on affected devices if it is not in use or connect the device to a router and update the adapter software to version 43.00 or later.

If the device has never been connected to a router or was reset to factory defaults, ensure proper configuration is performed to avoid exposure to the hard-coded credentials.

Applying available software updates provided by Mitsubishi Electric for affected models is strongly recommended.

Useful 0 Not Useful 0