CVE-2026-5667 Mitsubishi Electric Corporation CVE debrief

Who should care

Organizations and individuals using Mitsubishi Electric room air conditioners, refrigerators, heat pump water heaters, and other affected devices should be aware of this vulnerability and take steps to mitigate the risk. This includes administrators of critical infrastructure, building management systems, and home automation systems that incorporate these devices.

Technical summary

CVE-2026-5667 is a Use of Hard-coded Credentials vulnerability in various Mitsubishi Electric devices. An attacker within Wi-Fi radio range can access affected products using a hard-coded SSID and password, allowing them to obtain device data, change settings, or cause a DoS condition. The vulnerability is classified under CWE-798 and has a CVSS vector of CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

• Immediately update device firmware to the latest version, if available.
• Change default passwords and SSIDs on affected devices.
• Implement secure Wi-Fi configurations, such as WPA2 or WPA3.
• Limit access to affected devices to only necessary personnel.
• Monitor device activity for suspicious behavior.
• Consider isolating affected devices on a separate network.
• Regularly review and update device configurations to ensure security best practices are followed.

Evidence notes

The CVE-2026-5667 vulnerability was disclosed by Mitsubishi Electric through their PSIRT (Product Security Incident Response Team) and is listed on the Japan Vulnerability Notes (JVN) website [ref-4]. The vulnerability details are also documented in a PDF advisory released by Mitsubishi Electric [ref-5].

Official resources