Flaw in Mitsubishi Electric Home Appliances (AC, Fridge & More): Someone on Your Wi-Fi Can Knock Out Remote Control, CVE-2025-49604, Update the Firmware
Mitsubishi Electric disclosed CVE-2025-49604 affecting a wide range of Wi-Fi-enabled home appliances — air conditioners, refrigerators, rice cookers, IH cooktops and more. A device on the same Wi-Fi sending crafted traffic can temporarily halt the appliance's Wi-Fi, blocking smartphone remote control. There is no risk of data theft or takeover, but affected models should update to the fixed firmware.
Makoto Horikawa
Backend Engineer / AWS / Django
Mitsubishi Electric disclosed CVE-2025-49604 affecting a wide range of Wi-Fi-enabled home appliances — air conditioners, refrigerators, rice cookers, IH cooktops and more. A device on the same Wi-Fi sending crafted traffic can temporarily halt the appliance's Wi-Fi, blocking smartphone remote control. There is no risk of data theft or takeover, but affected models should update to the fixed firmware.
Mitsubishi Electric has disclosed a vulnerability affecting a wide range of its Wi-Fi-enabled home appliances — air conditioners, refrigerators, rice cookers, IH cooktops and more. A device on the same Wi-Fi network can send crafted traffic that temporarily knocks out the appliance's Wi-Fi, leaving you unable to control it from your smartphone app. It is tracked as CVE-2025-49604, with a severity of CVSS 5.4 (Medium).
The flaw is not in software Mitsubishi wrote itself, but in the Wi-Fi driver for a wireless chip made by Taiwan's Realtek. Mitsubishi is one of many manufacturers that build the chip into their products, so a single faulty part puts a long list of appliances in scope at once. The advisory was published through JPCERT/CC's JVN portal (JVNVU#99483706), and its remediation status was updated on June 11, 2026.
Here is the bottom line first. This is not a "your appliance gets hijacked" or "your data gets stolen" story. In its official advisory, Mitsubishi states that the affected products store no confidential information such as personal data, and that the flaw carries no risk of information disclosure or unauthorized device operation. All that happens is a temporary halt of Wi-Fi communication, and in most cases the device restarts on its own and recovers. Even so, if you own an affected model, updating to the fixed firmware is the safe move.
What actually happens: smartphone remote control stops working for a while
Modern Mitsubishi appliances can be operated and monitored from dedicated smartphone apps (such as "Kirigamine REMOTE" for room air conditioners or "MyMU" for heat-pump water heaters) even when you are away — turning on the AC before you get home, starting hot-water heating remotely, checking the fridge. This vulnerability lives in the Wi-Fi communication layer that makes that remote control possible.
Specifically, a device on the same Wi-Fi network can send deliberately malformed traffic (a crafted Wi-Fi frame) that breaks the appliance's Wi-Fi processing and temporarily stops communication. While it is down, the app cannot operate the device, register it, or pull information from it. According to Mitsubishi, the device usually reboots automatically and communication returns; if it does not, power-cycling the unit restores it.
The key point is that the impact is limited to temporary disruption of remote control. The AC does not turn on by itself, the set temperature cannot be changed from outside, and household traffic cannot be eavesdropped. In security terms, this is not about stealing information (confidentiality) or altering settings (integrity), but only about making something unavailable (availability). That said, for households that now routinely switch on the AC from outside in midsummer or midwinter, "unavailable" is a real inconvenience.
Is your appliance affected? Many Wi-Fi models are
Mitsubishi's list of affected products spans 13 categories and covers a fairly broad range of Wi-Fi-enabled appliances. Products without Wi-Fi, or Wi-Fi-capable products that are not actually connected to a network, are out of scope. The main categories are as follows.
| Category | Mainly affected | Action |
|---|---|---|
| Room air conditioners (domestic & overseas) | Wi-Fi built-in / capable models, wireless LAN adapters (MAC-900IF etc.) | Update to fixed firmware (e.g. ≤41.00 → 42.00+) |
| Packaged air conditioners | Wi-Fi-capable models for shops and offices | Update to fixed firmware |
| Refrigerators | Wi-Fi-capable models | Update to fixed firmware |
| Heat-pump water heaters / HEMS | Capable models, control & wireless LAN adapters | Update to fixed firmware |
| Bath dryer/heater/ventilation, Lossnay ventilation | Capable models, smart switches | Update to fixed firmware |
| IH cooktops & rice cookers | Wi-Fi-capable models | Update to fixed firmware |
The exact affected model numbers (such as the wireless LAN adapter MAC-900IF or the overseas MAC-587IF-E) and each fixed version and release date are listed in Mitsubishi's official advisory. The surest way to tell whether your unit qualifies is to check its version on the app's "adapter information" / "wireless LAN software" screen. The June 11 update reflected updated release timing for the fixes and corrected some wording — it did not add any new vulnerability.
Who would exploit this, and what do you lose when it stops
With a medium severity and an impact limited to a temporary communication outage, this is not the kind of flaw that draws attackers worldwide. But laying out the condition for the attack and the moments where the outage actually hurts makes it clear whose problem this is. The attack has just one prerequisite: the attacker must be on the same Wi-Fi as the appliance.
So the people who can reach it are not hackers in a distant country, but a guest you gave the Wi-Fi password to, a neighbor who cracked it, someone living in the same house, or malware that has already slipped onto one device (a phone, a smart TV, a robot vacuum) and is trying to spread sideways. What they can do is send one crafted signal and silence the communication channel of the AC, the water heater, the fridge all at once. The moment that single frame lands, the home's Wi-Fi appliances shut their remote-control window together and become "boxes that no longer respond" to your phone.
Technically, this is not a remotely exploitable flaw; it is an "adjacent" problem that only someone already inside the same network can trigger. That is exactly why it matters as a piece of a larger intrusion. The more a home ties its air conditioning or ventilation to smart locks, monitoring cameras, or presence detection, the more a well-timed shutdown of climate control becomes a way to mask or shake up another attack. Because Realtek chips sit inside countless IoT devices, the same "the appliance's Wi-Fi part is at fault" class of bug will keep reappearing in new forms.
The number CVSS 5.4 (5.1 in Mitsubishi's own assessment) is not technically high. What you lose is "convenience" — not being able to start the AC before you get home, not being able to turn off hot water from outside. Yet the heavier thing is not the inconvenience itself but the fact that, for the disruption to succeed, someone is already inside your home Wi-Fi. An appliance that suddenly stops responding may be a sign that there is an uninvited guest on your network.
A technical look: a hole in how the Realtek chip reassembles radio frames
CVE-2025-49604: a buffer overflow from insufficient checking of fragmented Wi-Fi frames
CVE-2025-49604 is a heap-based buffer overflow (CWE-122, writing past the bounds of an allocated memory region) in the software for Realtek's Wi-Fi chips (Ameba-family parts such as the RTL8721D). Wi-Fi splits large data into small chunks (frames) to transmit, and the receiver reassembles them. The problem is that during this reassembly the size of each chunk was not adequately validated. Send a chunk crafted to look like an abnormal size, and more data than expected gets written, the memory overflows, and Wi-Fi processing breaks.
This is the crux of the case. The bug is not in software Mitsubishi wrote, but in the software on the Realtek Wi-Fi chip that is built into the appliance as a component. Just as your phone or PC runs on semiconductors from other companies, an appliance's Wi-Fi function is built on these shared parts. So when one part is found to have a hole, every air conditioner, refrigerator, and water heater using that part is affected together. The fix flows as follows: Realtek updates the driver in its official security bulletin, and each manufacturer folds that into its own product firmware and ships it. Updating to Mitsubishi's fixed firmware is the final stage of that chain.
Severity ratings differ slightly by source. The US NVD rates it CVSS v3.1 5.4 (Medium), while Mitsubishi, using CVSS v4.0 to reflect real-world conditions, rates it 5.1 — attack vector "Adjacent (same Wi-Fi)," impact on availability only (communication merely stops). The flaw was found and reported by a researcher at the Taiwanese security firm DEVCORE, credited in Realtek's bulletin. We searched X (formerly Twitter) for comments on this issue from those involved or from researchers, but found no verifiable posts, so this article includes no embeds.
Impact and response at a glance
| Item | Detail |
|---|---|
| CVE | CVE-2025-49604 (CWE-122 heap buffer overflow) |
| Severity | CVSS v3.1: 5.4 / v4.0: 5.1 (both Medium) |
| Prerequisite | Attacker on the same Wi-Fi + sends a crafted frame (adjacent) |
| Impact | Appliance Wi-Fi halts temporarily → no remote control, registration, or info via smartphone (usually auto-recovers) |
| Data theft / takeover | None (stated by Mitsubishi) |
| Mitigation | Update to fixed firmware / harden Wi-Fi settings if no fix yet |
As of publication, the issue is not listed in the CISA KEV catalog (vulnerabilities confirmed to be exploited in the wild), and no exploitation has been reported. Because the impact is confined to a temporary outage, this is not a flaw to panic over. Still, these are appliances people keep for years, so fixing what can be fixed, sooner, is the right call. On the foundation side of the home network, Wi-Fi router vulnerabilities keep appearing too, so keeping both the gateway (router) and the endpoints (appliances) up to date matters.
What users should do now
This applies to households and shops using Wi-Fi-enabled Mitsubishi appliances. In priority order:
1. Check the version in the app and update to the fix. This is the core action. Open the per-product app such as "Kirigamine REMOTE" or "MyMU," check the version on the "adapter information" / "wireless LAN software" screen, and apply the update if one is available. Updates run via the app and cloud, so keep the device connected to the network while you do it.
2. For models with no fix yet, harden your Wi-Fi. Mitsubishi recommends home-side mitigations for products without a fix yet: use WPA2 (AES) or stronger encryption and avoid WEP or open networks, set a hard-to-guess strong password, keep unknown devices off the network, and keep the router's own software up to date. Since the attack requires "being on the same Wi-Fi," keeping strangers off your network directly helps.
3. Separate guest and appliance networks. Use the "guest Wi-Fi" feature most routers have to keep visitors' phones and unfamiliar smart gadgets off the main network where your appliances live. That breaks the very "attacker on the same Wi-Fi" prerequisite — and it helps with smart appliances in general, not just this issue.
4. If an appliance stops responding, reboot first. Communication usually recovers on its own, but if it does not, power-cycling the unit restores it. If it keeps stopping repeatedly, also check whether there is a suspicious device on your network.
An appliance's Wi-Fi rides on "shared parts"
What this case makes clear again is that even familiar appliances like air conditioners and refrigerators are built inside from general-purpose Wi-Fi chips and the software on them. Back in 2022, Mitsubishi appliances had another flaw from the same Realtek chips (CVE-2022-34326) that temporarily halted Wi-Fi. The more a part is shared, the more you gain convenience in bulk — and inherit the weak spots in bulk too.
Realtek chips are used widely across internet-connected devices worldwide, from routers to toys, and a flaw in the company's software has in the past spread to dozens of manufacturers and hundreds of thousands of units. Home networks keep accumulating devices built on shared parts and software beyond the router. Each individual flaw may be small, but periodically reviewing "what internet-connected devices are in my home, and are they each up to date" is the most effective defense of all. A limited-impact case like this one is a good prompt to make that review a habit.
Bottom line: not a flaw to panic over, but not one to ignore
CVE-2025-49604 affects a broad range of Mitsubishi's Wi-Fi appliances, but all it does is temporarily halt Wi-Fi via disruption from someone on the same network. There is no eavesdropping and no unauthorized control. The severity is a medium CVSS 5.x, and there is no sign of active exploitation. The cause was that the Realtek Wi-Fi chip software built into the appliances lacked size checking when reassembling fragmented radio frames.
What to do is simple. Check your unit's version in the app and update if a fix is out; if not, split guest and appliance Wi-Fi and keep unknown devices off it. No need to rush, but because these are appliances you will use for years, fix what you can. Keep it in the back of your mind just enough that, if an appliance suddenly stops responding, you can think "maybe that's it."
References
- ▸JVNVU#99483706 - Heap-based buffer overflow in the Realtek Wi-Fi driver bundled in multiple Mitsubishi Electric home appliances
- ▸NVD - CVE-2025-49604
- ▸Mitsubishi Electric - Vulnerability Information (PSIRT)
- ▸Mitsubishi Electric - Advisory 2025-024 (affected products & fixed versions)
- ▸Realtek Ameba - Security Bulletin CVE-2025-49604
- ▸DEVCORE - CVE list (researcher credit)
- ▸CWE-122 - Heap-based Buffer Overflow
- ▸JVNVU#98082029 - Realtek-chip flaw in Mitsubishi appliances (CVE-2022-34326, 2022)
- ▸CISA KEV Catalog