Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and consists of the ability to access protected resources or system functions through an alternative communication path or channel that does not require proper authentication. A remote attacker, without any privileges or user interaction, can bypass standard access control mechanisms built into the MSC controller. The exploit does not require specific network conditions or prior privileges.
An unauthenticated remote attacker gains full access to the MSC controller, which can lead to device takeover, manipulation of battery energy storage management system configurations, and potentially disruption of energy infrastructure operations. The vulnerability affects the confidentiality, integrity, and availability of the system and related components.
Update Nuvation Energy Multi-Stack Controller (MSC) software to version 2.5.1 or later. Detailed information regarding the update is available in the manufacturer's advisory and in the Dragos references at https://www.dragos.com/community/advisories/CVE-2025-64119. Until the patch is applied, it is recommended to isolate MSC devices from public networks and restrict network access only to trusted hosts.
Nuvation Energy Multi-Stack Controller (MSC) versions from 2.3.8 to 2.5.1 (exclusive), including products: nPlatform, NuvMSC3-04S-C, NuvMSC3-08S-C, NuvMSC3-12S-C, NuvMSC3-16S-C.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:X/V:X/RE:X/U:XNuvationenergy Nplatform
APPNuvationenergy2.3.8 – 2.5.1 (bez)Nuvationenergy Nuvmsc3 04s C
HWNuvationenergywszystkie wersjeNuvationenergy Nuvmsc3 08s C
HWNuvationenergywszystkie wersjeNuvationenergy Nuvmsc3 12s C
HWNuvationenergywszystkie wersjeNuvationenergy Nuvmsc3 16s C
HWNuvationenergywszystkie wersje
Related vulnerabilities
OS Command Injection w Nuvation Energy Multi-Stack Controller (MSC)
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nu...
Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Sign...
Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network ...