Description
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.
Published: 2026-06-17
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A hard‑coded SSID and password is embedded in the firmware of many Mitsubishi Electric home appliances. An attacker who can reach the device over the wireless network can log in, retrieve operational data such as temperature or status, modify settings like room temperature or Wi‑Fi configuration, or force the device into a denial‑of‑service state. The vulnerability therefore enables both information disclosure and tampering with device operation.

Affected Systems

The flaw is present in a wide range of Mitsubishi Electric products. This includes Room Air Conditioners (both Japan and outside Japan) and their linked Wireless LAN Adapters, Refrigerators (Japan), Heat Pump Water Heaters with HEMS‑Compatible Adapters, Bathroom Dryer / Heater / Ventilation Systems, Adapters for Airflow Ventilation Systems and Heat Pump Chilled/Hot Water Systems, Lossnay Central Ventilation Systems, Smart Switches for Ventilation Fans and Lossnay, IH Cooking Heaters, and Rice Cookers. Many specific model numbers are listed in the CNA data, covering dozens of devices in each category.

Risk and Exploitability

The CVSS score of 7.2 indicates a substantial risk. No EPSS value is published, and the vulnerability has not appeared in the CISA KEV catalog. Attackers need proximity to the device’s Wi‑Fi radio (the likely attack vector is within the same local network), and no special privileges or host compromise are required. The attack can be performed with standard wireless tools by logging in with the hard‑coded credentials, making the threat realistic for any user within range of the affected appliances.

Generated by OpenCVE AI on June 18, 2026 at 12:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Mitsubishi Electric for the affected models, which removes the hard‑coded credentials (see the PSIRT advisory PDF).
  • Once the patch is applied or if the patch is not immediately available, change the default SSID and password to unique, strong values and disable any unused Wi‑Fi services.
  • If the appliance does not need continuous Wi‑Fi connectivity, disconnect it from the network or place it in a separate VLAN to limit exposure.

Generated by OpenCVE AI on June 18, 2026 at 12:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 11:15:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.
Title Information Disclosure, Information Tampering, or Denial-of-Service (DoS) Vulnerability in Multiple Home Appliances
Weaknesses CWE-798
References
Metrics cvssV4_0

{'score': 7.2, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Mitsubishi

Published:

Updated: 2026-06-17T12:05:57.069Z

Reserved: 2026-04-06T08:10:51.740Z

Link: CVE-2026-5667

cve-icon Vulnrichment

Updated: 2026-06-17T12:05:40.029Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T12:15:02Z

Weaknesses
  • CWE-798

    Use of Hard-coded Credentials