CVE-2025-46414 (GCVE-0-2025-46414)

Vulnerability from cvelistv5 – Published: 2025-08-08 16:17 – Updated: 2025-08-08 19:13
VLAI?
Summary
The affected product does not limit the number of attempts for inputting the correct PIN for a registered product, which may allow an attacker to gain unauthorized access using brute-force methods if they possess a valid device serial number. The API provides clear feedback when the correct PIN is entered. This vulnerability was patched in a server-side update on April 6, 2025.
Severity ?
8.1 (High)
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.2 (Critical)
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CWE
Assigner
References
Impacted products
Vendor Product Version
EG4 Electronics EG4 12kPV Affected: all versions
Create a notification for this product.
Credits
Anthony Rose of BC Security reported these vulnerabilities to CISA.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-46414",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-08-08T19:13:34.209202Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-08-08T19:13:44.835Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "EG4 12kPV",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 18kPV",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 Flex 21",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 Flex 18",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 6000XP",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 12000XP",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        },
        {
          "defaultStatus": "unaffected",
          "product": "EG4 GridBoss",
          "vendor": "EG4 Electronics",
          "versions": [
            {
              "status": "affected",
              "version": "all versions"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Anthony Rose of BC Security reported these vulnerabilities to CISA."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The affected product does not limit the number of attempts for inputting\n the correct PIN for a registered product, which may allow an attacker \nto gain unauthorized access using brute-force methods if they possess a \nvalid device serial number. The API provides clear feedback when the \ncorrect PIN is entered. This vulnerability was patched in a server-side \nupdate on April 6, 2025."
            }
          ],
          "value": "The affected product does not limit the number of attempts for inputting\n the correct PIN for a registered product, which may allow an attacker \nto gain unauthorized access using brute-force methods if they possess a \nvalid device serial number. The API provides clear feedback when the \ncorrect PIN is entered. This vulnerability was patched in a server-side \nupdate on April 6, 2025."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        },
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "HIGH",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 9.2,
            "baseSeverity": "CRITICAL",
            "privilegesRequired": "NONE",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-307",
              "description": "CWE-307",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-08-08T16:17:43.727Z",
        "orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
        "shortName": "icscert"
      },
      "references": [
        {
          "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07"
        },
        {
          "url": "https://eg4electronics.com/contact/"
        }
      ],
      "source": {
        "advisory": "ICSA-25-219-07",
        "discovery": "EXTERNAL"
      },
      "title": "EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts",
      "workarounds": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003e\u003c/p\u003e\n\u003cp\u003eCVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\u003c/p\u003e\n\u003cp\u003eFor more information, \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://eg4electronics.com/contact/\"\u003econtact EG4.\u003c/a\u003e\u003c/p\u003e\n\n\u003cp\u003e\u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://eg4electronics.com/contact/\"\u003e\u003c/a\u003e\u003c/p\u003e\n\n\u003cbr\u003e"
            }
          ],
          "value": "CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\n\n\nFor more information,  contact EG4. https://eg4electronics.com/contact/ \n\n\n\n  https://eg4electronics.com/contact/"
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6",
    "assignerShortName": "icscert",
    "cveId": "CVE-2025-46414",
    "datePublished": "2025-08-08T16:17:43.727Z",
    "dateReserved": "2025-07-30T19:03:10.098Z",
    "dateUpdated": "2025-08-08T19:13:44.835Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-46414\",\"sourceIdentifier\":\"ics-cert@hq.dhs.gov\",\"published\":\"2025-08-08T17:15:28.387\",\"lastModified\":\"2025-08-08T20:30:18.180\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The affected product does not limit the number of attempts for inputting\\n the correct PIN for a registered product, which may allow an attacker \\nto gain unauthorized access using brute-force methods if they possess a \\nvalid device serial number. The API provides clear feedback when the \\ncorrect PIN is entered. This vulnerability was patched in a server-side \\nupdate on April 6, 2025.\"},{\"lang\":\"es\",\"value\":\"El producto afectado no limita el n\u00famero de intentos para introducir el PIN correcto de un producto registrado, lo que podr\u00eda permitir que un atacante obtenga acceso no autorizado mediante ataques de fuerza bruta si posee un n\u00famero de serie v\u00e1lido del dispositivo. La API proporciona una respuesta clara al introducir el PIN correcto. Esta vulnerabilidad se corrigi\u00f3 en una actualizaci\u00f3n del servidor el 6 de abril de 2025.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":9.2,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.2,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"ics-cert@hq.dhs.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-307\"}]}],\"references\":[{\"url\":\"https://eg4electronics.com/contact/\",\"source\":\"ics-cert@hq.dhs.gov\"},{\"url\":\"https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07\",\"source\":\"ics-cert@hq.dhs.gov\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-46414\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-08-08T19:13:34.209202Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-08-08T19:13:40.134Z\"}}], \"cna\": {\"title\": \"EG4 Electronics EG4 Inverters Improper Restriction of Excessive Authentication Attempts\", \"source\": {\"advisory\": \"ICSA-25-219-07\", \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Anthony Rose of BC Security reported these vulnerabilities to CISA.\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.1, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}, {\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 9.2, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"HIGH\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"NONE\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 12kPV\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 18kPV\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 Flex 21\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 Flex 18\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 6000XP\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 12000XP\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}, {\"vendor\": \"EG4 Electronics\", \"product\": \"EG4 GridBoss\", \"versions\": [{\"status\": \"affected\", \"version\": \"all versions\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://www.cisa.gov/news-events/ics-advisories/icsa-25-219-07\"}, {\"url\": \"https://eg4electronics.com/contact/\"}], \"workarounds\": [{\"lang\": \"en\", \"value\": \"CVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\\n\\n\\nFor more information,  contact EG4. https://eg4electronics.com/contact/ \\n\\n\\n\\n  https://eg4electronics.com/contact/\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"\u003cp\u003e\u003c/p\u003e\\n\u003cp\u003eCVE-2025-46414 was fixed on April 6, 2025. No user action was or is necessary.\u003c/p\u003e\\n\u003cp\u003eFor more information, \u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://eg4electronics.com/contact/\\\"\u003econtact EG4.\u003c/a\u003e\u003c/p\u003e\\n\\n\u003cp\u003e\u003ca target=\\\"_blank\\\" rel=\\\"nofollow\\\" href=\\\"https://eg4electronics.com/contact/\\\"\u003e\u003c/a\u003e\u003c/p\u003e\\n\\n\u003cbr\u003e\", \"base64\": false}]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"The affected product does not limit the number of attempts for inputting\\n the correct PIN for a registered product, which may allow an attacker \\nto gain unauthorized access using brute-force methods if they possess a \\nvalid device serial number. The API provides clear feedback when the \\ncorrect PIN is entered. This vulnerability was patched in a server-side \\nupdate on April 6, 2025.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The affected product does not limit the number of attempts for inputting\\n the correct PIN for a registered product, which may allow an attacker \\nto gain unauthorized access using brute-force methods if they possess a \\nvalid device serial number. The API provides clear feedback when the \\ncorrect PIN is entered. This vulnerability was patched in a server-side \\nupdate on April 6, 2025.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-307\", \"description\": \"CWE-307\"}]}], \"providerMetadata\": {\"orgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"shortName\": \"icscert\", \"dateUpdated\": \"2025-08-08T16:17:43.727Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-46414\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-08-08T19:13:44.835Z\", \"dateReserved\": \"2025-07-30T19:03:10.098Z\", \"assignerOrgId\": \"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6\", \"datePublished\": \"2025-08-08T16:17:43.727Z\", \"assignerShortName\": \"icscert\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.