CVE-2025-5023 is a high-severity vulnerability classified under CWE-798, which involves the use of hard-coded credentials in Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA. These products, designed for monitoring solar power generation and electricity sold back to the grid, contain embedded user IDs and passwords common across all versions. An attacker within Wi-Fi communication range between the measurement and display units can exploit this vulnerability to gain unauthorized access without requiring authentication or user interaction. The attacker can disclose sensitive information such as generated power data and electricity sales, tamper with or destroy stored or configured information, or cause a Denial-of-Service (DoS) condition, disrupting the system's availability. This vulnerability is compounded by the prerequisite exploitation of CVE-2025-5022, which presumably allows extraction of these hard-coded credentials. The affected products were discontinued in 2015, with official support ending in 2020, meaning no patches or updates are available to remediate this issue. The CVSS v3.1 score of 7.1 reflects a high severity, with attack vector being adjacent network (Wi-Fi range), high attack complexity, no privileges required, no user interaction, and impacts including low confidentiality, high integrity, and high availability impacts. The vulnerability poses a significant risk to the integrity and availability of photovoltaic monitoring systems, potentially leading to manipulation of energy data and operational disruption.

For European organizations utilizing Mitsubishi Electric's PV-DR004J and PV-DR004JA photovoltaic monitoring systems, this vulnerability presents several risks. Unauthorized disclosure of energy generation and sales data could lead to privacy breaches or competitive intelligence gathering. More critically, tampering with or destroying stored data can disrupt energy management, billing accuracy, and grid interaction, potentially causing financial losses or regulatory non-compliance. A Denial-of-Service condition could interrupt monitoring capabilities, affecting operational awareness and response to photovoltaic system performance issues. Given the products are discontinued and unsupported, organizations face challenges in remediation, increasing exposure duration. This is particularly concerning for energy providers, commercial solar farm operators, and critical infrastructure entities in Europe relying on these systems for operational integrity and reporting. The vulnerability could also be leveraged in broader supply chain attacks or as a foothold for lateral movement within industrial control environments.

Since the affected products are discontinued and unsupported, traditional patching is not an option. European organizations should first inventory and identify any deployments of PV-DR004J and PV-DR004JA units within their infrastructure. Immediate mitigation steps include isolating these devices from Wi-Fi networks accessible to untrusted parties by implementing strict network segmentation and limiting Wi-Fi communication range or disabling wireless interfaces if possible. Employ physical security controls to prevent proximity-based attacks. Where feasible, replace affected units with modern, supported photovoltaic monitoring systems that do not contain hard-coded credentials and support secure authentication mechanisms. Additionally, monitor network traffic for anomalous access patterns or repeated authentication attempts targeting these devices. Implement compensating controls such as VPN tunnels or encrypted communication channels between measurement and display units if supported. Finally, update incident response and business continuity plans to address potential disruptions caused by exploitation of this vulnerability.