How is CVE-2026-5667 exploited?

Network reachability (info): The attacker must be within Wi-Fi radio range of the affected device; no internet-routable path is needed, but physical or adjacent-network proximity (LAN or local wireless broadcast area) is required. Authentication (not-required): The hard-coded SSID and password are embedded in the device firmware, so no legitimate credentials or account are needed to authenticate. Victim interaction (not-required): Exploitation is entirely attacker-driven; no action by a device owner or user is required. Attack complexity (info): Attack complexity is low: the exploit requires no race conditions, special timing, or environmental setup beyond being in Wi-Fi range and knowing the hard-coded credentials.

What is the impact of CVE-2026-5667?

Reads device operational data including current operation status, room set temperature, and room temperature. Modifies air-conditioner settings (such as target temperature or operating mode) or reconfigures Wi-Fi network settings on the device. Disrupts Wi-Fi communication for the affected device, causing a denial-of-service condition for any networked functionality that depends on it. Impact is contained to the affected device itself; the CVSS v4.0 vector indicates no confidentiality, integrity, or availability impact on downstream or connected systems beyond the device.

Back to search

HIGHCVE-2026-5667Published 2026-06-17Modified 2026-06-17CNA Mitsubishi

CVE-2026-5667: Information Disclosure, Information Tampering, or Denial-of-Service (DoS) Vulnerability in Multiple Home Appliances

Use of Hard-coded Credentials vulnerability in Mitsubishi Electric Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Room Air Conditioners (for Japan and outside Japan); Wireless LAN Adapters for Packaged Air Conditioners (for Japan and outside Japan); Refrigerators (for Japan); Heat Pump Water Heaters / HEMS-Compatible Adapters / Wireless LAN Adapters (for Japan); Bathroom Dryer / Heater / Ventilation Systems (for Japan); Adapters for Airflow Ventilation Systems, Heat Pump Chilled / Hot Water Systems, and Ventilation / Air-Conditioning System Air Resorts (for Japan); Lossnay Central Ventilation Systems (for Japan); Smart Switches for Ventilation Fans and Lossnay (for Japan); IH Cooking Heaters (for Japan); and Rice Cookers (for Japan) allows an attacker within Wi-Fi radio range of an affected product to access the affected product using a hard-coded SSID and password, thereby obtaining device data such as operation status, room set temperature, and room temperature; changing the air-conditioner or Wi-Fi settings; or causing Wi-Fi communication to enter a denial-of-service (DoS) condition.

CVSS v4.0: 7.2
Severity: HIGH
Fixed in: —
Affected Products: 2480

HarborGuard Analysis

Synopsis

Use of hard-coded credentials in Mitsubishi Electric Room Air Conditioners (and related home appliance wireless adapters) allows an attacker within Wi-Fi radio range to authenticate using a fixed, embedded SSID and password baked into the device firmware. No user account or prior access is required; the attacker only needs to be close enough to reach the device's Wi-Fi signal. Successful exploitation enables reading device state (operation status, set temperature, room temperature), changing air-conditioner or Wi-Fi settings, or disrupting Wi-Fi communication entirely. No fix version has been published; HarborGuard tracks the upstream advisory and will make a patched-image rebuild available as soon as Mitsubishi Electric releases one.

HarborGuard Coverage

Detection

Detection of CVE-2026-5667 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that embed affected Mitsubishi Electric firmware or related adapter software.

Available

Triage

Triage is available with CVSS v4.0 scoring at 7.2 (HIGH), surfaced alongside each customer org's compliance policy weighting to prioritize findings appropriately. Routed findings land in the inbox of the team or individual mapped to the affected workload or image within each customer environment.

Available

Patch

Because no upstream fix has been published, HarborGuard re-checks the Mitsubishi Electric advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix version is released. In the interim, HarborGuard surfaces compensating-control recommendations, including Wi-Fi network isolation and access-point-level filtering, directly on the finding.

Pending upstream

Exploit Conditions

Network reachabilityDetail
The attacker must be within Wi-Fi radio range of the affected device; no internet-routable path is needed, but physical or adjacent-network proximity (LAN or local wireless broadcast area) is required.
AuthenticationNot required
The hard-coded SSID and password are embedded in the device firmware, so no legitimate credentials or account are needed to authenticate.
Victim interactionNot required
Exploitation is entirely attacker-driven; no action by a device owner or user is required.
Attack complexityDetail
Attack complexity is low: the exploit requires no race conditions, special timing, or environmental setup beyond being in Wi-Fi range and knowing the hard-coded credentials.

Blast Radius

Reads device operational data including current operation status, room set temperature, and room temperature.
Modifies air-conditioner settings (such as target temperature or operating mode) or reconfigures Wi-Fi network settings on the device.
Disrupts Wi-Fi communication for the affected device, causing a denial-of-service condition for any networked functionality that depends on it.
Impact is contained to the affected device itself; the CVSS v4.0 vector indicates no confidentiality, integrity, or availability impact on downstream or connected systems beyond the device.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-5667 is flagged on any image found to include affected Mitsubishi Electric firmware components or related adapter software, with a CVSS v4.0 score of 7.2 (HIGH) and compliance-policy-weighted priority routing. Because Mitsubishi Electric has not yet published a fix version, no patched-image rebuild is available upstream. HarborGuard re-evaluates the advisory on every ingest cycle; for customers with auto-remediation enabled, a rebuilt image and regression test run will be triggered automatically and a PR opened against affected workloads as soon as an upstream fix is published. In the meantime, HarborGuard surfaces compensating-control guidance on the finding: isolating affected devices to a dedicated Wi-Fi segment, applying access-point-level MAC filtering, and enabling egress filtering to limit what those devices can reach on the broader network.

See how HarborGuard automates this

Affected packages

Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2223-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2224-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2523-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2524-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2823-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR2824-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR3623-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR3624-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR4023S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR4024S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR5623S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR5624S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR6323S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR6324S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR7123S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BKR7124S-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2223-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2224-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2225-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2226-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2523-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2524-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2525-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2526-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2823-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2824-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2825-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV2826-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV3623-W
42.00 and prior
Mitsubishi Electric Corporation / Room Air Conditioners (for Japan) MSZ-BXV3624-W
42.00 and prior

CVSS Vector

CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N

References

Metrics

Get notified