Orca Heat Pump
Monthly
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.
Stored XSS in the Orca user portal is enabled by a multi-layer architectural failure in older Orca heat pump devices: device-to-server communications occur over unencrypted, unauthenticated HTTP on a non-secure port, and the server performs no input validation on the data it aggregates. An unauthenticated network attacker can impersonate a legitimate heat pump device, inject malicious JavaScript payloads into the data stream, which are then stored and rendered in the Orca user portal. When a portal user loads the affected page, the stored script executes, enabling session cookie theft and unauthorized actions within the portal. No public exploit code and no CISA KEV listing have been identified at time of analysis.