Mitsubishi Electric Wi-Fi Home Appliances Hit by Hard-coded Password Flaw: CVE-2026-5667

On June 11, 2026, Mitsubishi Electric disclosed a vulnerability in its Wi-Fi-enabled home appliances. The affected lineup is broad and familiar: room air conditioners, refrigerators, water heaters, IH cooktops, rice cookers, bathroom ventilation/drying units and more. The root cause is that the same credentials were embedded in every product, and the issue is tracked as CVE-2026-5667.

It was also published on June 15 as a domestic advisory, JVNVU#99620284, in Japan's JVN vulnerability database run by IPA and JPCERT/CC. The heart of the problem: every affected model ships with the same fixed network name (SSID) and the same fixed password. When certain conditions line up, a nearby third party can connect to the appliance without even needing to enter a password.

That said, only a specific usage pattern is actually exposed. This is not a reason to rush out and replace your appliances. This article walks general readers through what can happen, how to tell whether your own appliance is affected, and what to do right now.

What can actually happen

In one sentence: a third party within radio range may be able to connect to the appliance without a password and read its operating data or change its settings.

According to Mitsubishi Electric, an attacker moves within range of the Wi-Fi signal the appliance emits, then connects using the fixed SSID and fixed password baked into the product. Once connected, they may steal device data such as the air conditioner's operating state, the set temperature and the room temperature; change air conditioner or Wi-Fi settings; or temporarily knock out Wi-Fi communication (a denial-of-service, or DoS).

There are also clear reasons not to overreact. Mitsubishi Electric explicitly states that these products do not hold personal information such as names or addresses, so the flaw cannot leak personal data. And the attacker is not someone on the far side of the internet—only a person physically close enough for the radio signal to reach. This is not the kind of flaw that lets the other side of the planet target you.

Who would target this, and why

"Your home air conditioner gets hijacked" may not mean much in the abstract, so let's translate it into everyday terms: who would actually exploit this hole, and what do they want? The starting point is distance. This is not a flaw anyone in the world can reach—only someone who can get close enough for the radio signal to reach.

The people who can stand there include a neighbor in the next apartment or the floor above or below, someone who can approach a house from the road or the yard next door, a stranger who parks at the curb and lingers, or a previous tenant who can still get near a former residence. What they obtain by logging into the appliance with the shared password is not abstract "information." It is when the air conditioner turns on and off, whether it is idle while the house is empty, when the refrigerator is opened—the daily rhythm of when someone is home and when the house is empty. Because the fixed password is the same across affected models, simply standing within range is enough to read off those at-home and away habits.

It does not stop at snooping on data. If settings can be rewritten, an attacker can switch off the heating or cooling in the dead of summer or winter, or tamper with the target temperature—harassment becomes possible. If Wi-Fi is knocked out, you also lose the ability to control the appliance from your phone while away. The at-home/away rhythm is exactly the information a burglar most wants when casing a target, so collecting those patterns can become the entry point to the next crime. A tiny hole in a single air conditioner can become a window that leaks the whole household's routines.

The 7.2 CVSS figure is only a rough gauge of technical severity. For a household, what is really lost is the ordinary assurance that what happens inside the home is known only to those who live there. Precisely because it does not cause dramatic damage to life or property, the unsettling part is that your daily routine can quietly leak out without anyone noticing.

Is your appliance affected? Check these 3 states

This is the most important part. Even if you own an affected model, exposure depends on a narrow set of conditions. Mitsubishi Electric says it comes down to which of these three states your appliance is in.

In other words, the risky case is the "in-between" state where Wi-Fi is on but the appliance was never connected to your home router. The appliance keeps emitting its own signal, belonging to no network, so a third party who knows the shared password can connect from the side. This covers cases where you turned Wi-Fi on during setup but never finished pairing it with a router, or reset the device and left it that way.

Conversely, anyone who never used Wi-Fi, or who properly paired the device with a home router through the relevant app (such as Mitsubishi Electric's "MyMU" or "Kirigamine REMOTE," discussed below), is not affected. The first step is simply to find out which state you are in.

Which kinds of appliances are affected

The list runs to hundreds of model numbers, spanning 14 categories of household Wi-Fi products. The main types are below. To confirm whether your specific product is included, check the model-number list in Mitsubishi Electric's official advisory (PDF).

Some overseas air conditioner models are also listed, but Mitsubishi Electric says these "do not have an interface that can be directly controlled over Wi-Fi," so they cannot lead to data theft, setting changes or DoS—making their impact lighter than the domestic products. Either way, the surest confirmation is by model number.

What to do right now

If the check above put you in the "affected" state (Wi-Fi enabled, not connected to a router), there are two main fixes.

One is to simply connect the appliance to your home Wi-Fi router. Once pairing is complete, the appliance leaves the "in-between" state of broadcasting its own signal, and the vulnerability no longer applies. For connection steps, follow the relevant app and manual: "MyMU" or "Kirigamine REMOTE" for air conditioners, the Mitsubishi refrigerator app for refrigerators, "WiFi Rakuraku Suihan" for rice cookers, and so on.

The other is, if you do not use Wi-Fi at all, to turn the wireless function off. If you have no router or do not plan to use phone integration, disabling the wireless feature per the product manual (called "external connection" on water heaters, "communication settings" on rice cookers, etc.) avoids the issue on its own.

On top of that, the company is rolling out fixes (adapter software updates) in stages. Many air conditioners and adapters are already fixed in version 43.00 or later, updatable from the app. For some products the fix is still upcoming, and for a few there is no plan to release one. The main schedule is below.

For products with no planned fix, or while you wait for one, you can avoid exposure by either connecting to a router or disabling the wireless function. Mitsubishi Electric also recommends basic router-side measures: use a hard-to-guess password, set encryption to WPA2-PSK (AES) or similar, and place the router where outsiders cannot touch it. These help protect your whole home network, not just these appliances.

The technical view: why it happened

The cause is that a fixed network name (SSID) and a fixed password were written directly into the product. Technically this is "use of hard-coded credentials (CWE-798)"—a classic weakness that recurs in embedded devices. Baking the same secret into every unit at the factory makes manufacturing and setup easier, but once that secret is known, every unit of the same product opens with the same key.

The severity is rated CVSS v4.0 7.2. It does not reach the top 9-point band because the attacker is limited to close radio range, and the impact stays mostly at data snooping, setting changes and communication disruption rather than leaking personal data or physically taking over the device. The flaw was reported by Bulgarian security researcher Zachary Mitev, and Mitsubishi Electric credits him via its PSIRT (product security team).

Mitsubishi Electric's Wi-Fi appliances had another issue disclosed not long ago: CVE-2025-49604, where a third party on the same Wi-Fi could temporarily block remote control. That earlier flaw only let an attacker disrupt control; this one extends to snooping on data and changing settings, broadening the impact. Overseas, Mitsubishi Electric's commercial air conditioning systems have also had an authentication-bypass flaw patched, a sign that the network features of appliances keep drawing attacker attention.

Summary

This vulnerability in Mitsubishi Electric's Wi-Fi appliances stems from a simple design problem: the same password was embedded in every unit. It does not directly threaten life or property, and there is no risk of personal data leaking. But on appliances that have Wi-Fi enabled yet were never connected to a home router, a nearby third party may read your daily routine or switch your heating and cooling off.

What you need to do is not hard. First, determine whether your appliance is "Wi-Fi disabled," "connected to a router," or "enabled but not connected." If it is unconnected, pair it with your home router; if you do not use Wi-Fi, turn the wireless function off. Then update from the app once a fix ships. That is enough to avoid exposure. Even for the network features you usually ignore, checking the settings once brings peace of mind. The latest status is available on Mitsubishi Electric's vulnerability information page.

Sources

• ▸ Mitsubishi Electric - Information Disclosure, Tampering/Deletion/Destruction and DoS Vulnerability in Multiple Home Appliances (2026-001) (June 11, 2026)
• ▸ JVN - JVNVU#99620284 Use of Hard-coded Credentials in Multiple Mitsubishi Electric Home Appliances (June 15, 2026)
• ▸ NVD - CVE-2026-5667
• ▸ Mitsubishi Electric - Vulnerability Information (Product Security)
• ▸ CWE-798: Use of Hard-coded Credentials
• ▸ Related - Mitsubishi Electric appliances vulnerability CVE-2025-49604