Nplatform
CVE-2025-64121
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Authentication Bypass Using an Alternate Path or Channel vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Authentication Bypass.This issue affects Multi-Stack Controller (MSC): from 2.3.8 before 2.5.1.
AnalysisAI
Nuvation Energy Multi-Stack Controller (MSC) for battery storage systems allows authentication bypass through an alternate channel, enabling unauthenticated attackers to access critical energy management functions. Affects versions 2.3.8 to 2.5.1.
Technical ContextAI
The Multi-Stack Controller has an alternate authentication path (CWE-288) that bypasses the primary authentication mechanism. This provides unauthenticated access to battery management functions on industrial energy storage systems.
RemediationAI
Update to MSC firmware 2.5.1 or later. Isolate energy management controllers on dedicated OT networks. Implement network monitoring for unauthorized access attempts.
Nuvation Energy MSC through 2.5.1 can be used as an unintended network proxy to bridge security boundaries. An attacker
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Ene
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability in Nuvation Ene
Insufficiently Protected Credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Signature Spoo
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today