CVE-2025-5022 identifies a weakness in the password requirements of Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA. These devices, designed for monitoring solar power systems, use Wi-Fi communication between a measurement unit and a display unit. The vulnerability arises because an attacker within Wi-Fi range can derive the device's password directly from the SSID broadcast by the units. This implies that the SSID contains information or patterns that reveal the password, violating secure password design principles (CWE-521: Weak Password Requirements). Notably, the vulnerability is mitigated when the device enters power-saving mode after 5 minutes of inactivity, during which the display unit's LCD turns off and the device presumably stops broadcasting the SSID or changes its behavior. The affected products were discontinued in 2015, and official support ended in 2020, meaning no patches or updates are available to remediate this issue. The CVSS v3.1 base score is 6.5 (medium severity), with an attack vector classified as adjacent network (AV:A), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), and no impact on integrity or availability (I:N, A:N). This indicates that an attacker within Wi-Fi range can easily exploit the vulnerability to obtain sensitive information (password), potentially compromising confidentiality but not affecting system integrity or availability. There are no known exploits in the wild, and no patches are available due to product discontinuation. The vulnerability primarily affects environments where these photovoltaic monitors are deployed and actively communicating over Wi-Fi, especially if devices are not entering power-saving mode or are actively used.

For European organizations utilizing Mitsubishi Electric's PV-DR004J or PV-DR004JA photovoltaic monitoring systems, this vulnerability poses a confidentiality risk. An attacker within Wi-Fi range could extract passwords, potentially gaining unauthorized access to the monitoring system's network or data. This could lead to unauthorized monitoring, data leakage, or manipulation of monitoring data if further vulnerabilities exist beyond this password exposure. Although the vulnerability does not directly affect system integrity or availability, unauthorized access could facilitate further attacks or data exfiltration. Given that these products were discontinued in 2015 and support ended in 2020, organizations still operating these devices may face challenges in securing them. The risk is higher in environments where physical security is lax, or where Wi-Fi signals extend beyond controlled premises, such as in industrial or commercial solar installations. Additionally, the confidentiality impact could extend to sensitive operational data about energy production, which may be strategically valuable. However, the requirement for proximity (Wi-Fi range) limits the attack surface to local attackers rather than remote threat actors. The power-saving mode reduces risk during inactivity but does not eliminate it during active use. Overall, European organizations relying on these devices should consider the risk of unauthorized access and potential data exposure, especially in critical infrastructure or energy sectors.

Given the absence of patches due to product discontinuation, mitigation must focus on compensating controls. First, organizations should assess whether these devices are still in active use and consider replacing them with supported, updated models that follow modern security standards. If replacement is not immediately feasible, network segmentation is critical: isolate the photovoltaic monitoring system's Wi-Fi network from other corporate or operational networks to limit lateral movement if compromised. Employ strong physical security controls to restrict attacker proximity to the Wi-Fi signal. Adjust Wi-Fi transmission power to minimize signal leakage outside secure areas. Monitor Wi-Fi networks for unauthorized devices or unusual activity near the photovoltaic systems. Where possible, configure devices to enter power-saving mode more aggressively or reduce active communication time to limit exposure windows. Additionally, implement compensating authentication or encryption layers at the network level, such as VPN tunnels or WPA3 Enterprise Wi-Fi security, if supported by the environment. Finally, maintain strict access control policies and audit logs for any access to the photovoltaic monitoring systems to detect and respond to suspicious activities promptly.