CVE-2025-5022 is a vulnerability identified in Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA, affecting all versions. The core issue is weak password requirements that allow an attacker within Wi-Fi communication range between the measurement unit and display unit to derive the password directly from the SSID broadcast by the devices. This vulnerability stems from CWE-521, which relates to weak password policies that do not adequately protect authentication credentials. Furthermore, if the product is configured with the individual air conditioner control function (available only in display unit version 02.00.01 or later and measurement unit version 02.03.01 or later), an attacker exploiting this vulnerability can send ECHONET Lite commands over the Wi-Fi link. This enables unauthorized operations such as turning the air conditioner on or off and adjusting temperature settings. The vulnerability does not require user interaction or prior authentication, but the attacker must be within Wi-Fi range, which limits the attack surface to local proximity. The affected products were discontinued in 2015 with support ending in 2020, meaning no official patches or updates are available. The CVSS v3.1 base score is 6.5 (medium severity), with the vector indicating attack via adjacent network (Wi-Fi), low attack complexity, no privileges or user interaction required, and high confidentiality impact but no integrity or availability impact. No known exploits are reported in the wild as of now. The lack of patch availability combined with the ability to control connected air conditioning units poses a risk of unauthorized control and potential privacy or operational disruptions in environments using these devices.

For European organizations, especially those operating photovoltaic systems with Mitsubishi Electric's PV-DR004J or PV-DR004JA monitors, this vulnerability presents a moderate risk. The ability to derive passwords from SSIDs compromises confidentiality of the Wi-Fi communication between units, potentially exposing sensitive operational data. More critically, if the individual air conditioner control function is enabled, attackers can manipulate HVAC settings remotely, which could lead to discomfort, energy waste, or disruption of climate-controlled environments such as data centers, offices, or manufacturing facilities. Although the affected products are discontinued and support has ended, many installations may still be operational, particularly in industrial or commercial settings. The requirement for proximity limits large-scale remote exploitation but insider threats or attackers gaining physical proximity could leverage this vulnerability. The lack of integrity and availability impact reduces the risk of system-wide failures, but unauthorized control of HVAC systems can have secondary effects on business continuity and operational efficiency. Confidentiality breaches could also expose operational data that might be sensitive. Overall, the impact is moderate but non-negligible for organizations relying on these systems in Europe.

Given the affected products are discontinued and unsupported, organizations should prioritize the following mitigations: 1) Physically secure the locations of the photovoltaic system monitors to prevent unauthorized proximity access to their Wi-Fi communications. 2) Disable the individual air conditioner control function if it is not essential, as this reduces the attack surface by preventing command injection via ECHONET Lite. 3) Where possible, replace the affected PV-DR004J and PV-DR004JA units with newer, supported models that implement stronger password policies and encrypted communications. 4) Implement network segmentation and Wi-Fi access controls to restrict access to the communication channels between units, such as using dedicated secure Wi-Fi networks with strong encryption and authentication. 5) Monitor network traffic for unusual ECHONET Lite commands or unauthorized access attempts to detect exploitation attempts. 6) Educate facility staff about the risks of unauthorized physical access near these devices. 7) If replacement is not immediately feasible, consider deploying external security controls such as Wi-Fi intrusion detection systems or RF shielding to limit attack range. These steps go beyond generic advice by focusing on compensating controls given the lack of patches and the physical proximity requirement.