CVE-2025-5023

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-5023
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.

7.1 /10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 5.5

Attack Vector ADJACENT_NETWORK

Attack Complexity HIGH

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://jvn.jp/vu/JVNVU90283680/
https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf
Configurations

No configuration.

History

19 Sep 2025, 01:15

Type Values Removed Values Added
Summary (en) Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020. (en) Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.
References
  • () https://jvn.jp/vu/JVNVU90283680/ -

17 Jul 2025, 09:15

Type Values Removed Values Added
Summary
  • (es) La vulnerabilidad de uso de credenciales codificadas en el monitor del sistema fotovoltaico “EcoGuideTAB” de Mitsubishi Electric Corporation (PV-DR004J y PV-DR004JA en todas sus versiones) permite a un atacante dentro del rango de comunicación Wi-Fi entre las unidades del producto (unidad de medición y unidad de visualización) divulgar información, como la energía generada y la electricidad vendida a la red eléctrica, almacenada en el producto, manipular o destruir información almacenada o configurada en el producto, o provocar una denegación de servicio (DoS) en el producto mediante el uso de un ID de usuario y una contraseña codificados, comunes a la serie del producto, obtenidos mediante la explotación de CVE-2025-5022. Sin embargo, el producto no se ve afectado por esta vulnerabilidad si permanece sin uso durante un período determinado (predeterminado: 5 minutos) y entra en modo de ahorro de energía con la pantalla LCD de la unidad de visualización apagada. Los productos afectados se discontinuaron en 2015 y el soporte técnico finalizó en 2020.

10 Jul 2025, 09:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-07-10 09:15

Updated : 2025-09-19 01:15

NVD link : CVE-2025-5023

Mitre link : CVE-2025-5023

CVE.ORG link : CVE-2025-5023

JSON object : View

Products Affected

No product.

CWE
CWE-798

Use of Hard-coded Credentials