Impact
A hard‑coded SSID and password is embedded in the firmware of many Mitsubishi Electric home appliances. An attacker who can reach the device over the wireless network can log in, retrieve operational data such as temperature or status, modify settings like room temperature or Wi‑Fi configuration, or force the device into a denial‑of‑service state. The vulnerability therefore enables both information disclosure and tampering with device operation.
Affected Systems
The flaw is present in a wide range of Mitsubishi Electric products. This includes Room Air Conditioners (both Japan and outside Japan) and their linked Wireless LAN Adapters, Refrigerators (Japan), Heat Pump Water Heaters with HEMS‑Compatible Adapters, Bathroom Dryer / Heater / Ventilation Systems, Adapters for Airflow Ventilation Systems and Heat Pump Chilled/Hot Water Systems, Lossnay Central Ventilation Systems, Smart Switches for Ventilation Fans and Lossnay, IH Cooking Heaters, and Rice Cookers. Many specific model numbers are listed in the CNA data, covering dozens of devices in each category.
Risk and Exploitability
The CVSS score of 7.2 indicates a substantial risk. No EPSS value is published, and the vulnerability has not appeared in the CISA KEV catalog. Attackers need proximity to the device’s Wi‑Fi radio (the likely attack vector is within the same local network), and no special privileges or host compromise are required. The attack can be performed with standard wireless tools by logging in with the hard‑coded credentials, making the threat realistic for any user within range of the affected appliances.
OpenCVE Enrichment