The presence of hard-coded credentials in Mitsubishi Electric MR-GM series routers allows unauthenticated attackers to obtain full administrative control over the affected hardware.

This vulnerability involves the use of hard-coded credentials within the device firmware. An unauthenticated attacker with network access to the router can use these static credentials to bypass standard authentication mechanisms and gain administrative privileges.

Unauthorized administrative access to industrial routing hardware can lead to the interception of sensitive network traffic, disruption of industrial processes, and unauthorized lateral movement within the network. The CVSS score of 9.8 reflects the critical risk to infrastructure stability and the ease with which an attacker can compromise the device.

Immediate Action: Update the firmware for MR-GM5L-S1 and MR-GM5A-L1 routers to the latest version provided by Mitsubishi Electric.

Proactive Monitoring: Review device access logs for any logins originating from unexpected IP addresses or at unusual times.

Compensating Controls: Restrict access to the router’s management interface using network access control lists (ACLs) or a VPN to ensure only authorized personnel can reach the device.

Public Exploit Available: No

This vulnerability represents a significant risk to industrial environments. The use of hard-coded credentials effectively eliminates the security boundary for administrative access. It is critical that organizations using these Mitsubishi Electric routers apply the recommended firmware updates immediately and ensure that management interfaces are not exposed to the public internet.