FKIE_CVE-2025-5023

Vulnerability from fkie_nvd - Published: 2025-07-10 09:15 - Updated: 2025-09-19 01:15
Severity ?
7.1 (High) - CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Summary
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.
References
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jphttps://jvn.jp/vu/JVNVU90283680/
Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jphttps://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf
Impacted products
Vendor Product Version
To clipboard 

{
  "cveTags": [
    {
      "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "tags": [
        "unsupported-when-assigned"
      ]
    }
  ],
  "descriptions": [
    {
      "lang": "en",
      "value": "Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor \u201cEcoGuideTAB\u201d PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020."
    },
    {
      "lang": "es",
      "value": "La vulnerabilidad de uso de credenciales codificadas en el monitor del sistema fotovoltaico \u201cEcoGuideTAB\u201d de Mitsubishi Electric Corporation (PV-DR004J y PV-DR004JA en todas sus versiones) permite a un atacante dentro del rango de comunicaci\u00f3n Wi-Fi entre las unidades del producto (unidad de medici\u00f3n y unidad de visualizaci\u00f3n) divulgar informaci\u00f3n, como la energ\u00eda generada y la electricidad vendida a la red el\u00e9ctrica, almacenada en el producto, manipular o destruir informaci\u00f3n almacenada o configurada en el producto, o provocar una denegaci\u00f3n de servicio (DoS) en el producto mediante el uso de un ID de usuario y una contrase\u00f1a codificados, comunes a la serie del producto, obtenidos mediante la explotaci\u00f3n de CVE-2025-5022. Sin embargo, el producto no se ve afectado por esta vulnerabilidad si permanece sin uso durante un per\u00edodo determinado (predeterminado: 5 minutos) y entra en modo de ahorro de energ\u00eda con la pantalla LCD de la unidad de visualizaci\u00f3n apagada. Los productos afectados se discontinuaron en 2015 y el soporte t\u00e9cnico finaliz\u00f3 en 2020."
    }
  ],
  "id": "CVE-2025-5023",
  "lastModified": "2025-09-19T01:15:34.680",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "HIGH",
          "attackVector": "ADJACENT_NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "LOW",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.6,
        "impactScore": 5.5,
        "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-07-10T09:15:30.623",
  "references": [
    {
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "url": "https://jvn.jp/vu/JVNVU90283680/"
    },
    {
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "url": "https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf"
    }
  ],
  "sourceIdentifier": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
  "vulnStatus": "Awaiting Analysis",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-798"
        }
      ],
      "source": "Mitsubishielectric.Psirt@yd.MitsubishiElectric.co.jp",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.