This vulnerability (CVE-2026-5667) is classified as CWE-798, indicating the use of hard-coded credentials in Mitsubishi Electric Corporation products, including room air conditioners (model MSZ-BKR2223-W for Japan), wireless LAN adapters, refrigerators, and other household appliances. The hard-coded SSID and password allow an attacker within Wi-Fi radio range to access the affected device without authorization. This access can lead to disclosure of device data such as operation status and temperature settings, unauthorized modification of air-conditioner or Wi-Fi configurations, and disruption of Wi-Fi communications resulting in denial-of-service. The vulnerability is rated with a CVSS 4.0 base score of 7.2 (high severity) with attack vector as adjacent network, low attack complexity, no privileges or user interaction required, but with high impact on confidentiality and low to limited impact on integrity and availability. No vendor advisory or patch information is currently available, and no known exploits in the wild have been reported.

An attacker within Wi-Fi range can leverage the hard-coded credentials to gain unauthorized access to affected Mitsubishi Electric devices. This can result in disclosure of sensitive device data (operation status, room temperature settings), unauthorized changes to device or network configurations, and denial-of-service conditions affecting Wi-Fi communications. The impact includes potential privacy violations and disruption of device functionality.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should limit Wi-Fi access to trusted networks and consider network segmentation or disabling wireless features if feasible. Monitor vendor communications for updates on patches or mitigations.