CVE-2025-5022: CWE-521 Weak Password Requirements in Mitsubishi Electric Corporation PV-DR004J
Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.
AI Analysis
Technical Summary
CVE-2025-5022 identifies a vulnerability classified under CWE-521 (Weak Password Requirements) affecting Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA across all versions. This vulnerability allows an attacker within Wi-Fi communication range between the measurement unit and the display unit to derive the device's password directly from the SSID broadcast by the units. The weakness arises from insufficient password complexity and the exposure of password-related information in the SSID, which is typically visible to any nearby Wi-Fi-enabled device. Notably, the vulnerability is mitigated when the product enters power-saving mode after a default inactivity period of 5 minutes, during which the display unit's LCD screen turns off, and presumably the Wi-Fi communication is reduced or disabled. The products affected were discontinued in 2015, with official support ending in 2020, meaning no vendor patches or updates are available to remediate this issue. The CVSS v3.1 base score is 6.5 (medium severity), reflecting that the attack vector is adjacent network (Wi-Fi range), requires no privileges or user interaction, and impacts confidentiality by exposing passwords, but does not affect integrity or availability. There are no known exploits in the wild at this time. The vulnerability primarily threatens the confidentiality of the system's authentication credentials, potentially enabling unauthorized access to the photovoltaic system monitor's network or data if exploited. Given the discontinued status and lack of patches, affected devices remain vulnerable unless mitigated by operational controls or device replacement.
Potential Impact
For European organizations utilizing Mitsubishi Electric's PV-DR004J or PV-DR004JA photovoltaic system monitors, this vulnerability poses a risk of unauthorized access to the monitoring system via Wi-Fi interception. Although the products are discontinued and support ended in 2020, many installations may still be operational in industrial, commercial, or residential solar energy setups. Exploitation could lead to exposure of sensitive operational data, potential manipulation of monitoring parameters, or unauthorized network access if the compromised device is connected to broader organizational networks. This could undermine the confidentiality of energy production data and potentially facilitate lateral movement within the network. The limited attack range (Wi-Fi proximity) reduces the risk to remote attackers but increases the threat from insiders or attackers physically near the installation sites. The power-saving mode reduces exposure but only after inactivity, so active monitoring periods remain vulnerable. Given the strategic importance of renewable energy infrastructure in Europe’s energy transition, any compromise could have reputational and operational impacts, especially for organizations relying on these devices for critical energy monitoring and management.
Mitigation Recommendations
Since the affected products are discontinued and unsupported, no official patches are available. European organizations should consider the following specific mitigations: 1) Physically secure the photovoltaic monitoring units to restrict unauthorized proximity access, including controlled access to areas where these devices are installed. 2) Disable or limit Wi-Fi communication if possible, or isolate the device's Wi-Fi network segment from critical organizational networks to contain potential breaches. 3) Implement network segmentation and monitoring to detect anomalous Wi-Fi activity near the devices. 4) Reduce device exposure time by configuring shorter inactivity periods to enter power-saving mode, if configurable, to minimize the window of vulnerability. 5) Where feasible, replace affected devices with newer, supported models that implement stronger password policies and secure communication protocols. 6) Conduct regular security audits of photovoltaic system infrastructure to identify legacy devices and assess risks. 7) Educate on-site personnel about the risks of physical proximity attacks and enforce strict access controls. These measures go beyond generic advice by focusing on physical security, network isolation, and operational controls tailored to the nature of this vulnerability and the product lifecycle status.
Affected Countries
Germany, France, Italy, Spain, Netherlands, Belgium, Poland, Sweden
CVE-2025-5022: CWE-521 Weak Password Requirements in Mitsubishi Electric Corporation PV-DR004J
Description
Weak Password Requirements vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to derive the password from the SSID. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.
AI-Powered Analysis
Technical Analysis
CVE-2025-5022 identifies a vulnerability classified under CWE-521 (Weak Password Requirements) affecting Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA across all versions. This vulnerability allows an attacker within Wi-Fi communication range between the measurement unit and the display unit to derive the device's password directly from the SSID broadcast by the units. The weakness arises from insufficient password complexity and the exposure of password-related information in the SSID, which is typically visible to any nearby Wi-Fi-enabled device. Notably, the vulnerability is mitigated when the product enters power-saving mode after a default inactivity period of 5 minutes, during which the display unit's LCD screen turns off, and presumably the Wi-Fi communication is reduced or disabled. The products affected were discontinued in 2015, with official support ending in 2020, meaning no vendor patches or updates are available to remediate this issue. The CVSS v3.1 base score is 6.5 (medium severity), reflecting that the attack vector is adjacent network (Wi-Fi range), requires no privileges or user interaction, and impacts confidentiality by exposing passwords, but does not affect integrity or availability. There are no known exploits in the wild at this time. The vulnerability primarily threatens the confidentiality of the system's authentication credentials, potentially enabling unauthorized access to the photovoltaic system monitor's network or data if exploited. Given the discontinued status and lack of patches, affected devices remain vulnerable unless mitigated by operational controls or device replacement.
Potential Impact
For European organizations utilizing Mitsubishi Electric's PV-DR004J or PV-DR004JA photovoltaic system monitors, this vulnerability poses a risk of unauthorized access to the monitoring system via Wi-Fi interception. Although the products are discontinued and support ended in 2020, many installations may still be operational in industrial, commercial, or residential solar energy setups. Exploitation could lead to exposure of sensitive operational data, potential manipulation of monitoring parameters, or unauthorized network access if the compromised device is connected to broader organizational networks. This could undermine the confidentiality of energy production data and potentially facilitate lateral movement within the network. The limited attack range (Wi-Fi proximity) reduces the risk to remote attackers but increases the threat from insiders or attackers physically near the installation sites. The power-saving mode reduces exposure but only after inactivity, so active monitoring periods remain vulnerable. Given the strategic importance of renewable energy infrastructure in Europe’s energy transition, any compromise could have reputational and operational impacts, especially for organizations relying on these devices for critical energy monitoring and management.
Mitigation Recommendations
Since the affected products are discontinued and unsupported, no official patches are available. European organizations should consider the following specific mitigations: 1) Physically secure the photovoltaic monitoring units to restrict unauthorized proximity access, including controlled access to areas where these devices are installed. 2) Disable or limit Wi-Fi communication if possible, or isolate the device's Wi-Fi network segment from critical organizational networks to contain potential breaches. 3) Implement network segmentation and monitoring to detect anomalous Wi-Fi activity near the devices. 4) Reduce device exposure time by configuring shorter inactivity periods to enter power-saving mode, if configurable, to minimize the window of vulnerability. 5) Where feasible, replace affected devices with newer, supported models that implement stronger password policies and secure communication protocols. 6) Conduct regular security audits of photovoltaic system infrastructure to identify legacy devices and assess risks. 7) Educate on-site personnel about the risks of physical proximity attacks and enforce strict access controls. These measures go beyond generic advice by focusing on physical security, network isolation, and operational controls tailored to the nature of this vulnerability and the product lifecycle status.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Mitsubishi
- Date Reserved
- 2025-05-21T05:08:50.753Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 686f7dd1a83201eaaca69a1e
Added to database: 7/10/2025, 8:46:09 AM
Last enriched: 7/10/2025, 9:01:33 AM
Last updated: 7/10/2025, 2:32:03 PM
Views: 4
Related Threats
CVE-2025-6395: NULL Pointer Dereference in Red Hat Red Hat Enterprise Linux 10
MediumCVE-2025-53364: CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere in parse-community parse-server
MediumCVE-2025-46835: CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in j6t git-gui
HighCVE-2025-46334: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in j6t git-gui
HighCVE-2025-27614: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in j6t gitk
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.