CVE-2025-5023 is a high-severity vulnerability classified under CWE-798, which concerns the use of hard-coded credentials. This vulnerability affects all versions of Mitsubishi Electric Corporation's photovoltaic system monitor models PV-DR004J and PV-DR004JA. The flaw allows an attacker within Wi-Fi communication range between the measurement unit and the display unit of the product to exploit hard-coded user ID and password credentials. These credentials are common across the product series and can be obtained by exploiting a related vulnerability, CVE-2025-5022. Once the attacker gains access using these credentials, they can disclose sensitive information such as generated power data and electricity sold back to the grid stored on the device. Furthermore, the attacker can tamper with or destroy stored or configured information, or cause a Denial-of-Service (DoS) condition on the product, potentially disrupting the monitoring and management of photovoltaic energy systems. Notably, the vulnerability is mitigated when the product enters power-saving mode after being unused for five minutes, during which the display unit's LCD screen turns off, reducing the attack surface. However, the affected products were discontinued in 2015, with official support ending in 2020, meaning no patches or updates are available to remediate this vulnerability. The CVSS v3.1 base score is 7.1, reflecting a high severity with attack vector being adjacent network (Wi-Fi), high attack complexity, no privileges required, no user interaction, unchanged scope, low confidentiality impact, but high integrity and availability impacts.

For European organizations utilizing Mitsubishi Electric's PV-DR004J or PV-DR004JA photovoltaic monitoring systems, this vulnerability poses significant risks. Attackers within Wi-Fi range could access and manipulate critical energy production data, potentially leading to inaccurate reporting of energy generation and sales back to the grid. This could affect billing, energy management, and regulatory compliance. Tampering or destruction of configuration data could disrupt photovoltaic system operations, causing downtime or degraded performance, which impacts operational continuity and energy efficiency. A Denial-of-Service condition could result in loss of monitoring capabilities, hindering timely detection of system faults or failures. Given the discontinuation and lack of support, organizations cannot rely on vendor patches, increasing exposure. The confidentiality impact is relatively low, but the high integrity and availability impacts could have operational and financial consequences. Additionally, energy infrastructure is considered critical infrastructure in Europe, so exploitation could have broader implications for energy grid stability and security, especially for organizations involved in renewable energy production or grid services.

Since the affected products are discontinued and unsupported, traditional patching is not an option. European organizations should consider the following specific mitigations: 1) Network Segmentation: Isolate the photovoltaic monitoring devices on a dedicated Wi-Fi network with strict access controls to limit exposure to only trusted devices and personnel. 2) Wi-Fi Security Enhancements: Use strong Wi-Fi encryption (WPA3 if supported) and disable any unnecessary wireless interfaces or services on the devices if possible. 3) Physical Security: Restrict physical access to the devices to prevent attackers from positioning themselves within Wi-Fi range. 4) Monitoring and Detection: Implement network monitoring to detect unusual access patterns or attempts to connect to the devices using the known hard-coded credentials. 5) Device Replacement: Plan and prioritize replacement of these discontinued devices with newer, supported models that do not have this vulnerability. 6) Operational Controls: Limit the time devices are active and connected, leveraging the power-saving mode feature to reduce attack windows. 7) Incident Response Preparedness: Develop response plans for potential compromise scenarios involving photovoltaic monitoring systems to minimize operational impact.