CVE-2022-33322 in Air Conditioninginfo

Summary

by MITRE • 11/08/2022

Cross-site scripting vulnerability in Mitsubishi Electric consumer electronics products (Air Conditioning, Wi-Fi Interface, Refrigerator, HEMS adapter, Remote control with Wi-Fi Interface, BATHROOM THERMO VENTILATOR, Rice cooker, Mitsubishi Electric HEMS control adapter, Energy Recovery Ventilator, Smart Switch and Air Purifier) allows a remote unauthenticated attacker to execute an malicious script on a user's browser to disclose information, etc. The wide range of models/versions of Mitsubishi Electric consumer electronics products are affected by this vulnerability. As for the affected product models/versions, see the Mitsubishi Electric's advisory which is listed in [References] section.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 06/11/2026

This cross-site scripting vulnerability represents a critical security flaw in Mitsubishi Electric's consumer electronics ecosystem affecting multiple product categories including air conditioning systems, refrigerators, Wi-Fi interfaces, and various smart home devices. The vulnerability exists within the web interfaces of these products, which are designed to allow remote configuration and monitoring through web browsers. Attackers can exploit this weakness to inject malicious scripts into web pages viewed by users, creating a persistent threat vector that transcends traditional device boundaries. The vulnerability's impact extends across numerous product lines and firmware versions, indicating a systemic design flaw rather than an isolated incident.

The technical implementation of this XSS vulnerability stems from inadequate input validation and output encoding within the web-based interfaces of these consumer devices. When users access the web management interfaces of affected Mitsubishi Electric products, the system fails to properly sanitize user-supplied data before rendering it in web responses. This allows attackers to inject malicious JavaScript code through parameters, form fields, or URL components that are subsequently executed in the victim's browser context. The vulnerability is classified as a classic reflected XSS attack vector where malicious payloads are delivered through crafted URLs or form submissions that bypass security controls.

Operationally, this vulnerability enables attackers to execute a range of malicious activities including session hijacking, credential theft, and data exfiltration from connected devices. Remote unauthenticated access means that attackers can exploit this vulnerability without requiring valid credentials or physical access to the devices, making the attack surface particularly broad. The affected products typically operate in residential environments where users may have limited cybersecurity awareness, creating additional risk factors. Attackers could potentially gain insights into device configurations, user preferences, or even access to home network information, leading to broader security compromise.

Mitigation strategies should focus on immediate firmware updates provided by Mitsubishi Electric, which address the input validation and output encoding deficiencies. Network segmentation and firewall rules can help limit access to affected web interfaces, while web application firewalls may provide additional protection layers. Users should disable web interfaces when not actively needed and regularly update device firmware to address known vulnerabilities. Security monitoring should include detection of suspicious web traffic patterns and unauthorized access attempts to device management interfaces. Organizations implementing these devices in commercial or industrial settings should consider network access controls and regular vulnerability assessments to identify and remediate similar weaknesses. This vulnerability aligns with CWE-79 (Cross-site Scripting) and represents a significant risk under ATT&CK framework category T1566 (Phishing) and T1071.004 (Application Layer Protocol: DNS) where attackers can leverage device web interfaces to establish persistent access points. The widespread impact across multiple product categories underscores the need for comprehensive vulnerability management programs and vendor coordination to address systemic security issues in IoT ecosystems.

Reservation

06/14/2022

Disclosure

11/08/2022

Moderation

accepted

CPE

ready

EPSS

0.00837

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!