Severity by source
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Wi-Fi proximity required (AV:A); hard-coded credentials give unauthenticated access with no UI (PR:N/UI:N); full device-data read (C:H), limited setting changes and Wi-Fi DoS (I:L/A:L); no scope change.
Primary rating from Vendor (Mitsubishi).
CVSS VectorVendor: Mitsubishi
CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
Lifecycle Timeline
1DescriptionCVE.org
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.
AnalysisAI
Unauthenticated adjacent-network access to a wide range of Mitsubishi Electric Wi-Fi-enabled appliances - including room air conditioners (for Japan and abroad), wireless LAN adapters for room/packaged air conditioners, refrigerators, heat-pump water heaters, bathroom dryer/heater/ventilation units, Lossnay ventilation systems, IH cooking heaters, and rice cookers - is possible via a hard-coded SSID and password embedded in the products' Wi-Fi access-point mode. An attacker within Wi-Fi radio range can read device telemetry (operation status, set/room temperature), alter air-conditioner or Wi-Fi settings, or push the Wi-Fi interface into a denial-of-service state. No public exploit is identified at time of analysis (EPSS 0.15%, percentile 5%; CISA SSVC Exploitation: none) and the issue is not in CISA KEV, but the credentials are static across the product line, making opportunistic abuse trivial once they are leaked or recovered from firmware.
Technical ContextAI
The flaw is a textbook CWE-798 (Use of Hard-coded Credentials) in the Wi-Fi onboarding/setup interface that many of these consumer and small-commercial appliances expose, typically while in AP/pairing mode or when bridging via an MAC-xxxIF / HM-WFxxx / PAC-WHS01WF-E / PAC-SK43ML wireless LAN adapter. Per the supplied CPE list, hundreds of model variants from the MSZ, MFZ, MSY, MSXY, MFZ-KW/KT, MR- (refrigerator), GT-/RMCB- (heat-pump water heater HEMS adapters), V-/WD- (bathroom dryer), VL- (Lossnay), P-xxSWRC (smart switch), RE-322SXR (IH cooker), and NJ-AWBX10 (rice cooker) families are affected, indicating that a common Wi-Fi module / firmware stack is reused across the catalog. Because the SSID and PSK are baked into firmware, every unit of the same model - and likely across model lines - accepts the same credentials, defeating the WPA-PSK confidentiality model the SSID/password pair was meant to provide.
RemediationAI
Patch availability per vendor advisory (https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2026-001_en.pdf) - apply the fixed firmware Mitsubishi publishes for your specific model and serial range; representative thresholds in the EUVD listing are firmware 42.00 for room AC models, 51.00 for several outside-Japan models, 01.77 for refrigerators, 01.72 for bathroom dryer/heater/ventilation units, 01.14/01.73 for ventilation adapters, 01.71 for Lossnay central ventilation, 01.74 for smart switches, 01.71 for the IH cooker, and 01.76 for the rice cooker, so any unit at or below those versions requires the vendor update; a meaningful share of listed entries are 'all versions', meaning the only durable fix is the model-specific firmware Mitsubishi releases. Until firmware is applied, the only effective compensating control is to keep the device out of AP/pairing mode - complete Wi-Fi onboarding promptly and then disable the device's setup-mode AP if the model permits, accepting the trade-off that re-pairing later requires re-enabling it. Where models cannot disable the setup AP, treat the device as untrusted on the LAN: place it on an isolated SSID/VLAN with no route to other home or office networks, and in dense environments (apartments, hotels, offices) prefer wired control or schedule pairing windows when no untrusted persons are in radio range. Reference JVN advisory https://jvn.jp/vu/JVNVU99620284/ and VulDB entry https://vuldb.com/vuln/371932 for tracking.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37646