Skip to main content

CVE-2025-5023: CWE-798 Use of Hard-coded Credentials in Mitsubishi Electric Corporation PV-DR004J

High
VulnerabilityCVE-2025-5023cvecve-2025-5023cwe-798
Published: Thu Jul 10 2025 (07/10/2025, 08:34:13 UTC)
Source: CVE Database V5
Vendor/Project: Mitsubishi Electric Corporation
Product: PV-DR004J

Description

Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. However, the product is not affected by this vulnerability when it remains unused for a certain period of time (default: 5 minutes) and enters the power-saving mode with the display unit's LCD screen turned off. The affected products discontinued in 2015, support ended in 2020.

AI-Powered Analysis

AILast updated: 07/10/2025, 09:01:16 UTC

Technical Analysis

CVE-2025-5023 is a high-severity vulnerability affecting Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA, encompassing all versions of these discontinued products. The vulnerability arises from the use of hard-coded credentials (CWE-798) embedded within the product firmware, which can be exploited by an attacker within Wi-Fi communication range between the measurement unit and the display unit. By leveraging these hard-coded user ID and password pairs—obtainable through exploitation of a related vulnerability CVE-2025-5022—an attacker can gain unauthorized access to the system. This access enables the attacker to disclose sensitive information such as generated power metrics and electricity sold back to the grid, tamper with or destroy stored or configured data, or induce a Denial-of-Service (DoS) condition, severely impacting system availability and integrity. Notably, the vulnerability is mitigated when the device enters power-saving mode after 5 minutes of inactivity, turning off the display unit's LCD screen, which disables Wi-Fi communication. However, since the products were discontinued in 2015 and support ended in 2020, no official patches or updates are available to remediate this issue. The CVSS v3.1 base score of 7.1 reflects the high impact on integrity and availability, with attack vector being adjacent network (Wi-Fi), requiring no privileges or user interaction but with high attack complexity due to the need to exploit CVE-2025-5022 first. The vulnerability poses a significant risk to the confidentiality, integrity, and availability of photovoltaic monitoring systems, potentially affecting energy management and operational continuity in installations using these devices.

Potential Impact

For European organizations, especially those involved in renewable energy generation and management, this vulnerability presents a tangible risk. Unauthorized disclosure of power generation and grid feed-in data could lead to privacy breaches or competitive intelligence gathering. More critically, tampering or destruction of configuration and stored data can disrupt energy monitoring and reporting, potentially causing operational inefficiencies or regulatory non-compliance. A Denial-of-Service condition could interrupt real-time monitoring, impairing the ability to detect faults or optimize energy production. Given the increasing reliance on photovoltaic systems for sustainable energy goals across Europe, compromised monitoring devices could undermine energy management strategies and grid stability. Additionally, attackers could leverage this vulnerability as a foothold for lateral movement within industrial or energy sector networks, escalating the threat landscape. The lack of vendor support and patches exacerbates the risk, as affected organizations must rely on compensating controls or device replacement to mitigate exposure.

Mitigation Recommendations

Since no patches are available due to product discontinuation and support cessation, European organizations should prioritize the following specific mitigations: 1) Identify and inventory all installations using PV-DR004J and PV-DR004JA devices to assess exposure. 2) Physically isolate or segment the Wi-Fi communication network between measurement and display units to restrict attacker proximity, employing network segmentation and strong Wi-Fi security measures such as WPA3 with robust passphrases. 3) Disable Wi-Fi communication where feasible or reduce the Wi-Fi signal range through antenna adjustments or shielding to limit attacker access. 4) Implement strict monitoring of network traffic between units to detect anomalous access attempts or data exfiltration indicative of exploitation. 5) Where possible, replace affected devices with supported, updated photovoltaic monitoring systems that do not contain hard-coded credentials and receive security updates. 6) Train operational staff to recognize signs of device tampering or malfunction that may indicate exploitation. 7) Incorporate this vulnerability into risk assessments and incident response plans to ensure preparedness. These targeted actions go beyond generic advice by focusing on compensating controls tailored to the unique constraints of unsupported legacy hardware in critical energy infrastructure.

Need more detailed analysis?Get Pro

Technical Details

Data Version
5.1
Assigner Short Name
Mitsubishi
Date Reserved
2025-05-21T05:08:54.662Z
Cvss Version
3.1
State
PUBLISHED

Threat ID: 686f7dd1a83201eaaca69a21

Added to database: 7/10/2025, 8:46:09 AM

Last enriched: 7/10/2025, 9:01:16 AM

Last updated: 7/10/2025, 2:16:08 PM

Views: 6

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats