fkie_cve-2025-5023
Vulnerability from fkie_nvd
Published
2025-07-10 09:15
Modified
2025-09-19 01:15
Severity ?
7.1 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Summary
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.
References
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jphttps://jvn.jp/vu/JVNVU90283680/
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jphttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf
Impacted products
Vendor Product Version


To clipboard 

{
  "cveTags": [
    {
      "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "tags": [
        "unsupported-when-assigned"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de uso de credenciales codificadas en el monitor del sistema fotovoltaico \u201cEcoGuideTAB\u201d de Mitsubishi Electric Corporation (PV-DR004J y PV-DR004JA en todas sus versiones) permite a un atacante dentro del rango de comunicaci\u00f3n Wi-Fi entre las unidades del producto (unidad de medici\u00f3n y unidad de visualizaci\u00f3n) divulgar informaci\u00f3n, como la energ\u00eda generada y la electricidad vendida a la red el\u00e9ctrica, almacenada en el producto, manipular o destruir informaci\u00f3n almacenada o configurada en el producto, o provocar una denegaci\u00f3n de servicio (DoS) en el producto mediante el uso de un ID de usuario y una contrase\u00f1a codificados, comunes a la serie del producto, obtenidos mediante la explotaci\u00f3n de CVE-2025-5022. Sin embargo, el producto no se ve afectado por esta vulnerabilidad si permanece sin uso durante un per\u00edodo determinado (predeterminado: 5 minutos) y entra en modo de ahorro de energ\u00eda con la pantalla LCD de la unidad de visualizaci\u00f3n apagada. Los productos afectados se discontinuaron en 2015 y el soporte t\u00e9cnico finaliz\u00f3 en 2020."
    }
  ],
  "id": "CVE-2025-5023",
  "lastModified": "2025-09-19T01:15:34.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.5,
        "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-10T09:15:30.623",
  "references": [
    {
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "url": "https://jvn.jp/vu/JVNVU90283680/"
    },
    {
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf"
    }
  ],
  "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.