CVE-2025-5022 identifies a vulnerability classified under CWE-521 (Weak Password Requirements) affecting Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA across all versions. This vulnerability allows an attacker within Wi-Fi communication range between the measurement unit and the display unit to derive the device's password directly from the SSID broadcast by the units. The weakness arises from insufficient password complexity and the exposure of password-related information in the SSID, which is typically visible to any nearby Wi-Fi-enabled device. Notably, the vulnerability is mitigated when the product enters power-saving mode after a default inactivity period of 5 minutes, during which the display unit's LCD screen turns off, and presumably the Wi-Fi communication is reduced or disabled. The products affected were discontinued in 2015, with official support ending in 2020, meaning no vendor patches or updates are available to remediate this issue. The CVSS v3.1 base score is 6.5 (medium severity), reflecting that the attack vector is adjacent network (Wi-Fi range), requires no privileges or user interaction, and impacts confidentiality by exposing passwords, but does not affect integrity or availability. There are no known exploits in the wild at this time. The vulnerability primarily threatens the confidentiality of the system's authentication credentials, potentially enabling unauthorized access to the photovoltaic system monitor's network or data if exploited. Given the discontinued status and lack of patches, affected devices remain vulnerable unless mitigated by operational controls or device replacement.

For European organizations utilizing Mitsubishi Electric's PV-DR004J or PV-DR004JA photovoltaic system monitors, this vulnerability poses a risk of unauthorized access to the monitoring system via Wi-Fi interception. Although the products are discontinued and support ended in 2020, many installations may still be operational in industrial, commercial, or residential solar energy setups. Exploitation could lead to exposure of sensitive operational data, potential manipulation of monitoring parameters, or unauthorized network access if the compromised device is connected to broader organizational networks. This could undermine the confidentiality of energy production data and potentially facilitate lateral movement within the network. The limited attack range (Wi-Fi proximity) reduces the risk to remote attackers but increases the threat from insiders or attackers physically near the installation sites. The power-saving mode reduces exposure but only after inactivity, so active monitoring periods remain vulnerable. Given the strategic importance of renewable energy infrastructure in Europe’s energy transition, any compromise could have reputational and operational impacts, especially for organizations relying on these devices for critical energy monitoring and management.

Since the affected products are discontinued and unsupported, no official patches are available. European organizations should consider the following specific mitigations: 1) Physically secure the photovoltaic monitoring units to restrict unauthorized proximity access, including controlled access to areas where these devices are installed. 2) Disable or limit Wi-Fi communication if possible, or isolate the device's Wi-Fi network segment from critical organizational networks to contain potential breaches. 3) Implement network segmentation and monitoring to detect anomalous Wi-Fi activity near the devices. 4) Reduce device exposure time by configuring shorter inactivity periods to enter power-saving mode, if configurable, to minimize the window of vulnerability. 5) Where feasible, replace affected devices with newer, supported models that implement stronger password policies and secure communication protocols. 6) Conduct regular security audits of photovoltaic system infrastructure to identify legacy devices and assess risks. 7) Educate on-site personnel about the risks of physical proximity attacks and enforce strict access controls. These measures go beyond generic advice by focusing on physical security, network isolation, and operational controls tailored to the nature of this vulnerability and the product lifecycle status.