CVE-2026-25599
Awaiting Analysis Awaiting Analysis - Queue
Stored XSS in Orca Heat Pump Web Interface

Publication date: 2026-06-01

Last updated on: 2026-06-01

Assigner: ENISA

Description
Missing authentication and clear‑text transmission of data from the heat pumps to the control server, combined with the absence of input validation on aggregated data, can lead to stored XSS that enables theft of cookies from the pump’s web control interface. Older Orca heat pump devices communicating with the Orca server over an unencrypted and unauthenticated HTTP connection on a non-secure port specifically enable an attacker to impersonate a legitimate device and inject malicious payloads. This enables the insertion of harmful code directly into the Orca user portal, potentially compromising user accounts, exposing sensitive information, and allowing further unauthorized actions within the portal.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-01
Last Modified
2026-06-01
Generated
2026-06-21
AI Q&A
2026-06-01
EPSS Evaluated
2026-06-20
NVD
CVE-2026-25599
EUVD
EUVD-2026-33617
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
orca heat_pump *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability involves missing authentication and clear-text transmission of data, which can lead to unauthorized access and theft of sensitive information such as cookies from the pump’s web control interface.

Such security weaknesses could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data through proper authentication, encryption, and input validation.

Specifically, the exposure of sensitive information and the possibility of unauthorized actions within the user portal may violate data protection requirements and increase the risk of data breaches.

Detection Guidance

Detection of this vulnerability involves identifying unencrypted and unauthenticated HTTP communication between Orca heat pump devices and the Orca control server, especially on non-secure ports.

Network monitoring tools can be used to capture traffic and check for HTTP connections from Orca heat pumps. Commands such as 'tcpdump' or 'Wireshark' filters can help detect this traffic.

  • Use tcpdump to capture HTTP traffic on the suspected port: tcpdump -i <interface> tcp port <port_number> and inspect for unencrypted data.
  • Use curl or wget to attempt connecting to the Orca heat pump device or server over HTTP and check if authentication is required.
  • Check web control interfaces for signs of stored XSS by inspecting cookies and input fields for malicious payloads.
Mitigation Strategies

Immediate mitigation steps include disabling unencrypted HTTP communication between Orca heat pumps and the control server.

Ensure that communication is encrypted and authenticated, preferably by switching to HTTPS or another secure protocol.

Apply input validation on all aggregated data to prevent stored XSS attacks.

Restrict access to the Orca user portal and monitor for suspicious activity that could indicate exploitation attempts.

Executive Summary

This vulnerability involves missing authentication and clear-text transmission of data between Orca heat pumps and their control server. Because the communication happens over an unencrypted and unauthenticated HTTP connection, an attacker can impersonate a legitimate device.

Additionally, the absence of input validation on aggregated data allows for stored cross-site scripting (XSS) attacks. This means an attacker can inject malicious code into the Orca user portal, which can then be used to steal cookies from the pump’s web control interface.

Overall, this vulnerability enables attackers to compromise user accounts, expose sensitive information, and perform unauthorized actions within the portal.

Impact Analysis

The vulnerability can impact you by allowing attackers to impersonate legitimate heat pump devices and inject harmful code into the user portal.

This can lead to theft of cookies, which may result in unauthorized access to user accounts.

Consequently, sensitive information could be exposed and attackers could perform further unauthorized actions within the portal, potentially compromising the security and integrity of your heat pump system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25599. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart