CVE-2026-5667
HighCVSS 7.2Summary
A vulnerability related to the use of hard-coded credentials in various Mitsubishi Electric products, such as air conditioners and ventilation devices. An attacker within Wi-Fi range can access the device using a hard-coded SSID and password.
Risk Assessment
The organization is at risk of unauthorized access to device data and the ability to change settings, potentially leading to disruptions in the operation of air conditioning and ventilation systems.
Recommendation
It is recommended to update the device firmware and change default credentials to stronger ones to minimize the risk of unauthorized access.
Original NVD description (English source)
Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.

