EUVD-2025-20984CVSS VectorNVD
CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:H
Lifecycle Timeline
3DescriptionNVD
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Corporation photovoltaic system monitor “EcoGuideTAB” PV-DR004J all versions and PV-DR004JA all versions allows an attacker within the Wi-Fi communication range between the units of the product (measurement unit and display unit) to disclose information such as generated power and electricity sold back to the grid stored in the product, tamper with or destroy stored or configured information in the product, or cause a Denial-of-Service (DoS) condition on the product, by using hardcoded user ID and password common to the product series obtained by exploiting CVE-2025-5022. The affected products discontinued in 2015, support ended in 2020.
AnalysisAI
CVE-2025-5023 is a hard-coded credential vulnerability in Mitsubishi Electric's EcoGuideTAB photovoltaic system monitor (models PV-DR004J and PV-DR004JA, all versions) that allows attackers within Wi-Fi range to disclose sensitive power generation data, tamper with stored information, or cause denial-of-service. The vulnerability is chained with CVE-2025-5022 and affects products discontinued in 2015 with support ended in 2020, making patching unlikely; real-world risk is moderate despite the 7.1 CVSS score due to the product's age and narrow deployment window.
Technical ContextAI
EcoGuideTAB PV-DR004J/PV-DR004JA systems use a wireless communication architecture between measurement units and display units operating over Wi-Fi. The vulnerability stems from CWE-798 (Use of Hard-coded Credentials), where a static, shared user ID and password embedded in the firmware is used for authentication between communicating units. Exploitation requires prior knowledge of these hard-coded credentials, which are obtainable through CVE-2025-5022 (information disclosure). The hard-coded nature of these credentials means they cannot be changed post-deployment and are identical across all units of the affected product series. The Wi-Fi communication channel is unencrypted or insufficiently protected, allowing an attacker within radio range to intercept or inject commands using the disclosed credentials. The affected CPE would be approximately 'cpe:2.3:h:mitsubishielectric:ecoguidetab_pv-dr004j:*:*:*:*:*:*:*:*' and 'cpe:2.3:h:mitsubishielectric:ecoguidetab_pv-dr004ja:*:*:*:*:*:*:*:*' covering all firmware versions.
RemediationAI
No patch is available and will not be issued due to product end-of-life status (discontinued 2015, support ended 2020). Organizations operating affected PV-DR004J or PV-DR004JA units should consider the following mitigation strategies: (1) Network isolation: Restrict Wi-Fi access to the PV monitoring system using network segmentation, MAC address filtering, or access control lists; ensure the measurement and display units communicate only with each other and not with untrusted networks; (2) Physical security: Limit physical access to the Wi-Fi broadcast range and place systems in areas with controlled access; (3) Upgrade path: Migrate to current-generation Mitsubishi Electric photovoltaic monitoring solutions that employ modern authentication and encryption; (4) CVE-2025-5022 mitigation: Implement protections against the information disclosure vulnerability (CVE-2025-5022) that enables credential extraction, if applicable to your environment; (5) Monitoring: Implement network-level monitoring to detect unusual Wi-Fi communication patterns or repeated authentication attempts to the PV system. Contact Mitsubishi Electric support for guidance on secure decommissioning and replacement options.
Share
External POC / Exploit Code
Leaving vuln.today