CRITICAL🇵🇱 Wersja polska

CVE-2025-64121

CVSS 10.0v4.0pub. 2026-01-02upd. 2026-02-26

Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and consists of the ability to access protected resources or system functions through an alternative communication path or channel that does not require proper authentication. A remote attacker, without any privileges or user interaction, can bypass standard access control mechanisms built into the MSC controller. The exploit does not require specific network conditions or prior privileges.

Impact

An unauthenticated remote attacker gains full access to the MSC controller, which can lead to device takeover, manipulation of battery energy storage management system configurations, and potentially disruption of energy infrastructure operations. The vulnerability affects the confidentiality, integrity, and availability of the system and related components.

Mitigation & patch

Update Nuvation Energy Multi-Stack Controller (MSC) software to version 2.5.1 or later. Detailed information regarding the update is available in the manufacturer's advisory and in the Dragos references at https://www.dragos.com/community/advisories/CVE-2025-64119. Until the patch is applied, it is recommended to isolate MSC devices from public networks and restrict network access only to trusted hosts.

Who is affected

Nuvation Energy Multi-Stack Controller (MSC) versions from 2.3.8 to 2.5.1 (exclusive), including products: nPlatform, NuvMSC3-04S-C, NuvMSC3-08S-C, NuvMSC3-12S-C, NuvMSC3-16S-C.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:X
  • Nuvationenergy Nplatform

    APP
    Nuvationenergy
    2.3.8 – 2.5.1 (bez)
  • Nuvationenergy Nuvmsc3 04s C

    HW
    Nuvationenergy
    wszystkie wersje
  • Nuvationenergy Nuvmsc3 08s C

    HW
    Nuvationenergy
    wszystkie wersje
  • Nuvationenergy Nuvmsc3 12s C

    HW
    Nuvationenergy
    wszystkie wersje
  • Nuvationenergy Nuvmsc3 16s C

    HW
    Nuvationenergy
    wszystkie wersje
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-64120CRITICAL9.4PL ✓ten sam produkt

OS Command Injection w Nuvation Energy Multi-Stack Controller (MSC)

CVE-2025-64124HIGH8.7ten sam produkt

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nu...

CVE-2025-64122HIGH7.2ten sam produkt

Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Sign...

CVE-2025-64123HIGH7.9ten sam produkt

Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network ...