Use of Hard-coded Credentials in Mitsubishi Electric EcoGuideTAB PV System
CVE-2025-5023

7.1HIGH

Key Information:

Vendor: Mitsubishi Electric Corporation
Status: Pv-dr004j; Pv-dr004ja
Vendor: CVE Published:; 10 July 2025

🔔 Create Mitsubishi Electric Corporation Vulnerability Alert

What is CVE-2025-5023?

The Mitsubishi Electric EcoGuideTAB photovoltaic system monitor is vulnerable due to the use of hard-coded credentials. Attackers within Wi-Fi range can exploit this vulnerability to gain unauthorized access to sensitive data, including generated power and energy sold to the grid. Additionally, malicious actors could tamper with or erase critical configuration data and potentially trigger a Denial-of-Service condition. The risk is notably present in all versions of both PV-DR004J and PV-DR004JA models. It's important to note that this vulnerability only affects active devices, as those that enter power-saving mode after being unused for up to 5 minutes are safeguarded against unauthorized access.

Affected Version(s)

PV-DR004J All versions

PV-DR004JA All versions

References

https://www.mitsubishielectric.com/psirt/vulnerability/pd...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

Low

Integrity:

High

Availability:

Low

Attack Vector:

Adjacent Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 10, 2025
Vulnerability Reserved
May 21, 2025

JSON