Search criteria
6 vulnerabilities found for Mojave Inverter by Outback Power
CVE-2025-24861 (GCVE-0-2025-24861)
Vulnerability from cvelistv5 – Published: 2025-02-13 21:20 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Command Injection
Summary
An attacker may inject commands via specially-crafted post requests.
Severity ?
CWE
- CWE-77 - Command Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:12.816629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:37.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker may inject commands via specially-crafted post requests."
}
],
"value": "An attacker may inject commands via specially-crafted post requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:20:05.837Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-24861",
"datePublished": "2025-02-13T21:20:05.837Z",
"dateReserved": "2025-02-12T16:21:30.233Z",
"dateUpdated": "2025-02-14T15:47:37.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25281 (GCVE-0-2025-25281)
Vulnerability from cvelistv5 – Published: 2025-02-13 21:18 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor
Summary
An attacker may modify the URL to discover sensitive information about the target network.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:15.584581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:48.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker may modify the URL to discover sensitive information about the target network."
}
],
"value": "An attacker may modify the URL to discover sensitive information about the target network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:18:56.425Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-25281",
"datePublished": "2025-02-13T21:18:56.425Z",
"dateReserved": "2025-02-12T16:21:30.252Z",
"dateUpdated": "2025-02-14T15:47:48.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26473 (GCVE-0-2025-26473)
Vulnerability from cvelistv5 – Published: 2025-02-13 21:17 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings
Summary
The Mojave Inverter uses the GET method for sensitive information.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:18.360683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:58.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter uses the GET method for sensitive information."
}
],
"value": "The Mojave Inverter uses the GET method for sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:17:46.586Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-26473",
"datePublished": "2025-02-13T21:17:46.586Z",
"dateReserved": "2025-02-12T16:21:30.264Z",
"dateUpdated": "2025-02-14T15:47:58.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-24861 (GCVE-0-2025-24861)
Vulnerability from nvd – Published: 2025-02-13 21:20 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Command Injection
Summary
An attacker may inject commands via specially-crafted post requests.
Severity ?
CWE
- CWE-77 - Command Injection
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24861",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:12.816629Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:37.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker may inject commands via specially-crafted post requests."
}
],
"value": "An attacker may inject commands via specially-crafted post requests."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77 Command Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:20:05.837Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Command Injection",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-24861",
"datePublished": "2025-02-13T21:20:05.837Z",
"dateReserved": "2025-02-12T16:21:30.233Z",
"dateUpdated": "2025-02-14T15:47:37.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-25281 (GCVE-0-2025-25281)
Vulnerability from nvd – Published: 2025-02-13 21:18 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor
Summary
An attacker may modify the URL to discover sensitive information about the target network.
Severity ?
CWE
- CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-25281",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:15.584581Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:48.300Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "An attacker may modify the URL to discover sensitive information about the target network."
}
],
"value": "An attacker may modify the URL to discover sensitive information about the target network."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:18:56.425Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-25281",
"datePublished": "2025-02-13T21:18:56.425Z",
"dateReserved": "2025-02-12T16:21:30.252Z",
"dateUpdated": "2025-02-14T15:47:48.300Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-26473 (GCVE-0-2025-26473)
Vulnerability from nvd – Published: 2025-02-13 21:17 – Updated: 2025-02-14 15:47
VLAI?
Title
Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings
Summary
The Mojave Inverter uses the GET method for sensitive information.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Outback Power | Mojave Inverter |
Affected:
All versions
|
Credits
Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA.
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-26473",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-14T15:37:18.360683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-14T15:47:58.188Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Mojave Inverter",
"vendor": "Outback Power",
"versions": [
{
"status": "affected",
"version": "All versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter uses the GET method for sensitive information."
}
],
"value": "The Mojave Inverter uses the GET method for sensitive information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-598",
"description": "CWE-598",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T21:17:46.586Z",
"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"shortName": "icscert"
},
"references": [
{
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"
},
{
"url": "https://old.outbackpower.com/about-outback/contact/contact-us"
}
],
"source": {
"advisory": "ICSA-25-044-17",
"discovery": "EXTERNAL"
},
"title": "Outback Power Mojave Inverter Use of GET Request Method With Sensitive Query Strings",
"workarounds": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n\u003cbr\u003e"
}
],
"value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."
}
],
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
"assignerShortName": "icscert",
"cveId": "CVE-2025-26473",
"datePublished": "2025-02-13T21:17:46.586Z",
"dateReserved": "2025-02-12T16:21:30.264Z",
"dateUpdated": "2025-02-14T15:47:58.188Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}