{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-5023", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "state": "PUBLISHED", "assignerShortName": "Mitsubishi", "dateReserved": "2025-05-21T05:08:54.662Z", "datePublished": "2025-07-10T08:34:13.758Z", "dateUpdated": "2025-09-19T00:11:19.035Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "PV-DR004J", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "All versions"}]}, {"defaultStatus": "unaffected", "product": "PV-DR004JA", "vendor": "Mitsubishi Electric Corporation", "versions": [{"status": "affected", "version": "All versions"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."}], "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."}], "impacts": [{"descriptions": [{"lang": "en", "value": "Information disclosure, tampering, and denial-of-service (DoS)"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2025-09-19T00:11:19.035Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf"}, {"tags": ["government-resource"], "url": "https://jvn.jp/vu/JVNVU90283680/"}], "source": {"discovery": "UNKNOWN"}, "tags": ["unsupported-when-assigned"], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-10T14:03:35.221730Z", "id": "CVE-2025-5023", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T14:03:50.737Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5023", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-07-10T14:03:35.221730Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-10T14:03:39.718Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "source": {"discovery": "UNKNOWN"}, "impacts": [{"descriptions": [{"lang": "en", "value": "Information disclosure, tampering, and denial-of-service (DoS)"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Mitsubishi Electric Corporation", "product": "PV-DR004J", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}, {"vendor": "Mitsubishi Electric Corporation", "product": "PV-DR004JA", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf", "tags": ["vendor-advisory"]}, {"url": "https://jvn.jp/vu/JVNVU90283680/", "tags": ["government-resource"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.", "supportingMedia": [{"type": "text/html", "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-798", "description": "CWE-798 Use of Hard-coded Credentials"}]}], "providerMetadata": {"orgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "shortName": "Mitsubishi", "dateUpdated": "2025-09-19T00:11:19.035Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5023", "state": "PUBLISHED", "dateUpdated": "2025-09-19T00:11:19.035Z", "dateReserved": "2025-05-21T05:08:54.662Z", "assignerOrgId": "e0f77b61-78fd-4786-b3fb-1ee347a748ad", "datePublished": "2025-07-10T08:34:13.758Z", "assignerShortName": "Mitsubishi"}, "dataVersion": "5.1"}

{"cveTags": [{"sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."}, {"lang": "es", "value": "La vulnerabilidad de uso de credenciales codificadas en el monitor del sistema fotovoltaico \u201cEcoGuideTAB\u201d de Mitsubishi Electric Corporation (PV-DR004J y PV-DR004JA en todas sus versiones) permite a un atacante dentro del rango de comunicaci\u00f3n Wi-Fi entre las unidades del producto (unidad de medici\u00f3n y unidad de visualizaci\u00f3n) divulgar informaci\u00f3n, como la energ\u00eda generada y la electricidad vendida a la red el\u00e9ctrica, almacenada en el producto, manipular o destruir informaci\u00f3n almacenada o configurada en el producto, o provocar una denegaci\u00f3n de servicio (DoS) en el producto mediante el uso de un ID de usuario y una contrase\u00f1a codificados, comunes a la serie del producto, obtenidos mediante la explotaci\u00f3n de CVE-2025-5022. Sin embargo, el producto no se ve afectado por esta vulnerabilidad si permanece sin uso durante un per\u00edodo determinado (predeterminado: 5 minutos) y entra en modo de ahorro de energ\u00eda con la pantalla LCD de la unidad de visualizaci\u00f3n apagada. Los productos afectados se discontinuaron en 2015 y el soporte t\u00e9cnico finaliz\u00f3 en 2020."}], "id": "CVE-2025-5023", "lastModified": "2025-09-19T01:15:34.680", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}, "published": "2025-07-10T09:15:30.623", "references": [{"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://jvn.jp/vu/JVNVU90283680/"}, {"source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf"}], "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-798"}], "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp", "type": "Secondary"}]}

{}

{}