CVE-2025-64124
OS Command Injection in Nuvation MSC Before
Publication date: 2026-01-03
Last updated on: 2026-02-26
Assigner: Dragos, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nuvationenergy | nplatform | to 2.5.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided resources do not include specific detection methods or commands to identify this vulnerability on your network or system. It is recommended to update to Platform version 2.5.1 to mitigate the risk and secure access with strong authentication and network restrictions. [1]
Can you explain this vulnerability to me?
This vulnerability is an OS Command Injection (CWE-78) in Nuvation Energy's Multi-Stack Controller (MSC) devices before version 2.5.1. It allows an attacker with low privileges to remotely execute arbitrary operating system commands on the affected device. The attack complexity is high, but no user interaction is required. This means that an attacker could potentially take control of the system by injecting malicious commands through the network. [1]
How can this vulnerability impact me? :
The vulnerability can have a severe impact by allowing an attacker to execute arbitrary OS commands remotely, which can compromise the confidentiality, integrity, and availability of the affected system. This could lead to unauthorized access, data breaches, system manipulation, or denial of service. Because the attack scope is changed and the impact on confidentiality, integrity, and availability is high, it poses a significant security risk. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should update the Nuvation Energy Multi-Stack Controller (MSC) to Platform version 2.5.1 or later, as the issue is fixed in this version. Additionally, secure access to the MSC and Battery Management System (BMS) devices by enabling authentication with strong passwords and restricting network access to prevent exploitation. [1]