Skip to main content

CVE-2022-33322: CWE-79 Cross-site Scripting (XSS) in Mitsubishi Electric Corporation Air Conditioning MSZ-FD40/56/63/71/8022S

Medium
VulnerabilityCVE-2022-33322cvecve-2022-33322cwe-79
Published: Tue Nov 08 2022 (11/08/2022, 00:00:00 UTC)
Source: CVE
Vendor/Project: Mitsubishi Electric Corporation
Product: Air Conditioning MSZ-FD40/56/63/71/8022S

Description

Cross-site scripting vulnerability in Mitsubishi Electric consumer electronics products (Air Conditioning, Wi-Fi Interface, Refrigerator, HEMS adapter, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch and Air Purifier) allows a remote unauthenticated attacker to execute an malicious script on a user's browser to disclose information, etc. The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section.

AI-Powered Analysis

AILast updated: 06/25/2025, 19:44:11 UTC

Technical Analysis

CVE-2022-33322 is a cross-site scripting (XSS) vulnerability classified under CWE-79 affecting multiple consumer electronics products manufactured by Mitsubishi Electric Corporation. The affected products include a broad range of devices such as air conditioning units (specifically models MSZ-FD40/56/63/71/8022S), Wi-Fi interfaces, refrigerators, HEMS adapters, remote controls with Wi-Fi interfaces, bathroom thermo ventilators, rice cookers, energy recovery ventilators, smart switches, and air purifiers. The vulnerability exists in versions 30.00 to 35.00 of the affected products' firmware or software. Technically, the vulnerability allows a remote attacker with no authentication required to inject malicious scripts that execute in the context of a user's browser when interacting with the device's web interface or management portal. This can lead to information disclosure, such as stealing session cookies or sensitive configuration data, potentially enabling further attacks like session hijacking or unauthorized control of the device. The CVSS v3.1 base score is 6.1, indicating a medium severity level, with an attack vector of network (AV:N), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope is changed (S:C), meaning the vulnerability affects components beyond the initially vulnerable component. The impact on confidentiality and integrity is low (C:L, I:L), with no impact on availability (A:N). No known exploits are reported in the wild as of the publication date (November 8, 2022), and no official patches or updates are linked in the advisory. The vulnerability is significant due to the wide range of consumer electronics affected, many of which are connected to home or building networks and may be accessible remotely via Wi-Fi or internet interfaces. This broad attack surface increases the risk of exploitation, especially in environments where users may not be aware of the security implications of interacting with these devices' web interfaces.

Potential Impact

For European organizations, especially those in residential, commercial real estate, hospitality, and facility management sectors, this vulnerability poses a risk of unauthorized data disclosure and potential manipulation of device settings. Although the direct impact on availability is none, the compromise of confidentiality and integrity could lead to privacy violations, unauthorized access to building management systems, or lateral movement within internal networks if attackers leverage stolen credentials or session information. The diversity of affected devices means that attackers could target multiple points within an organization's infrastructure, increasing the complexity of detection and response. Additionally, organizations relying on Mitsubishi Electric products for energy management or HVAC control could face operational disruptions indirectly if attackers manipulate device configurations or cause user mistrust. The requirement for user interaction reduces the likelihood of automated widespread exploitation but does not eliminate targeted attacks, especially in environments where users frequently access device interfaces.

Mitigation Recommendations

1. Immediate verification of firmware/software versions on all Mitsubishi Electric consumer electronics within the organization and identification of devices running versions 30.00 to 35.00. 2. Apply any available firmware updates or patches from Mitsubishi Electric as soon as they are released; if no patches are currently available, engage with the vendor for timelines and interim mitigations. 3. Restrict access to device management interfaces by implementing network segmentation and firewall rules to limit access to trusted internal networks only, preventing exposure to the internet. 4. Disable or restrict remote access features where not strictly necessary, especially Wi-Fi or web interfaces accessible from outside the local network. 5. Educate users and administrators about the risks of interacting with device web interfaces and the importance of avoiding clicking on suspicious links or inputs that could trigger XSS payloads. 6. Implement web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) capable of detecting and blocking XSS attack patterns targeting these devices. 7. Monitor network traffic and device logs for unusual activity or signs of attempted exploitation, focusing on HTTP requests containing suspicious scripts or payloads. 8. Consider deploying endpoint protection solutions that can detect malicious scripts executing in browsers, adding an additional layer of defense against XSS exploitation.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mitsubishi
Date Reserved
2022-06-14T00:00:00.000Z
Cisa Enriched
true
Cvss Version
3.1
State
PUBLISHED

Threat ID: 682d9839c4522896dcbecc0b

Added to database: 5/21/2025, 9:09:13 AM

Last enriched: 6/25/2025, 7:44:11 PM

Last updated: 7/29/2025, 12:01:37 AM

Views: 13

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats