Mitsubishi Electric EcoGuideTAB Photovoltaic System Monitor Hard-Coded Credentials Vulnerability

A vulnerability allowing information disclosure, data tampering, and denial-of-service conditions has been identified in the Mitsubishi Electric EcoGuideTAB photovoltaic system monitor, specifically in the PV-DR004J and PV-DR004JA models, all versions. This vulnerability arises from the use of hard-coded credentials, which can be exploited by an attacker within Wi-Fi range of the product's measurement and display units. The attacker can access information such as generated power and electricity sold back to the grid, manipulate or delete stored data, or cause a denial-of-service condition. However, the vulnerability does not affect the product when it enters power-saving mode after five minutes of inactivity. The EcoGuideTAB was discontinued in 2015, with support ending in 2020.

Impact

Exploitation of this vulnerability allows an attacker to access and manipulate information stored in the product, disrupt its normal functioning, or cause a denial-of-service condition.

Remediation

Mitsubishi Electric recommends discontinuing use of the affected products or, for those unable to do so immediately, turning off the display unit when not in use and preventing unauthorized access to the product's Wi-Fi communication range.