CVE-2025-5022
📋 TL;DR
This vulnerability allows attackers within Wi-Fi range to derive passwords from SSIDs in Mitsubishi EcoGuideTAB photovoltaic monitors. If the air conditioner control function is enabled, attackers can execute ECHONET Lite commands to control connected air conditioners. Affected products were discontinued in 2015 and support ended in 2020.
💻 Affected Systems
- Mitsubishi Electric EcoGuideTAB PV-DR004J
- Mitsubishi Electric EcoGuideTAB PV-DR004JA
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers within Wi-Fi range can control connected air conditioners (on/off, temperature changes) and potentially disrupt building climate control systems.
Likely Case
Attackers within Wi-Fi range can derive passwords and potentially disrupt monitoring functions of the photovoltaic system.
If Mitigated
If air conditioner control function is disabled and Wi-Fi range is restricted, impact is limited to password exposure without operational consequences.
🎯 Exploit Status
Attack requires physical proximity within Wi-Fi range; password derivation from SSID is straightforward; ECHONET Lite command execution requires air conditioner control function enabled
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: N/A
Vendor Advisory: https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-007_en.pdf
Restart Required: No
Instructions:
No official patch available. Products discontinued in 2015 with support ended in 2020. Consider replacement or workarounds.
🔧 Temporary Workarounds
Disable Air Conditioner Control Function
allPrevent ECHONET Lite command execution by disabling the individual air conditioner control function
Configuration through device interface - consult user manual
Restrict Wi-Fi Range
allPhysically isolate devices or use RF shielding to limit Wi-Fi communication range
🧯 If You Can't Patch
- Replace affected devices with newer supported models
- Segment network and isolate devices from critical systems
🔍 How to Verify
Check if Vulnerable:
Check device model number (PV-DR004J or PV-DR004JA) and verify air conditioner control function statusCheck Version:
Check device display for version information (display unit version 02.00.01+ and measurement unit version 02.03.01+ required for air conditioner control)Verify Fix Applied:
Verify air conditioner control function is disabled and Wi-Fi range is restricted📡 Detection & Monitoring
Log Indicators:
- Unauthorized ECHONET Lite commands in device logs
- Unexpected air conditioner control events
Network Indicators:
- Wi-Fi traffic between units from unexpected locations
- ECHONET Lite protocol traffic from unauthorized sources
SIEM Query:
Search for ECHONET Lite protocol events from non-authorized MAC addresses or unexpected Wi-Fi connections