Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.
AnalysisAI
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Technical ContextAI
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation - Stored XSS), but its root cause is a compound architectural failure spanning three distinct weaknesses. First, the device-to-server channel uses cleartext HTTP with no authentication, meaning any network-adjacent attacker can impersonate a heat pump (device spoofing). Second, the Orca server performs no input validation on data aggregated from devices, allowing injected payloads to pass through unchecked. Third, the Orca user portal (CPE: cpe:2.3:a:orca_energy:orca_user_portal:*:*:*:*:*:*:*:*) renders this unsanitized data directly, completing the stored XSS condition. The affected hardware is identified via CPE cpe:2.3:a:orca_energy:orca_heat_pump:*:*:*:*:*:*:*:*, scoped to older devices in the description. The protocol-level lack of TLS and the absence of device authentication tokens are the enabling prerequisites that elevate what would otherwise be a straightforward XSS into a remotely exploitable, unauthenticated supply-chain injection path.
RemediationAI
No vendor-released patch with an exact fix version has been identified at time of analysis. The SI-CERT advisory at https://www.cert.si/en/cve-2026-25599/ should be monitored for patch release announcements. Until a patch is available, the following specific compensating controls are recommended: (1) Enforce TLS on the device-to-server communication channel to prevent cleartext interception and payload injection - this eliminates the primary injection vector but requires firmware support on older devices, which may not be feasible without a vendor update. (2) Implement device authentication tokens or mutual TLS (mTLS) between heat pump devices and the Orca server to prevent device impersonation - without this, TLS alone does not prevent a network attacker from registering a rogue device. (3) Apply strict server-side input validation and output encoding in the Orca user portal for all device-sourced data fields - this is the most immediately actionable server-side control and can be deployed independently of firmware changes. (4) Isolate heat pump device communication networks from untrusted segments using VLANs or firewall ACLs restricting port access to the non-secure HTTP port used for device communication, limiting attacker positioning opportunities. Note that network isolation does not remediate the root causes and should be treated as a temporary mitigation only.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33617
GHSA-m272-v6vr-r4ff