CVE-2025-64122 – CVE-2025-64122 is an insufficiently protected c... (How to Fix)

Q: What is the severity of CVE-2025-64122?

CVE-2025-64122 has a CVSS score of 5.5 (MEDIUM). CVE-2025-64122 is an insufficiently protected credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) that allows attackers to steal cryptographic keys and perform signature spoofing. This affects organizations using Nuvation Energy's energy storage control systems. Attackers could potentially forge system commands or manipulate energy storage operations.

📋 TL;DR

CVE-2025-64122 is an insufficiently protected credentials vulnerability in Nuvation Energy Multi-Stack Controller (MSC) that allows attackers to steal cryptographic keys and perform signature spoofing. This affects organizations using Nuvation Energy's energy storage control systems. Attackers could potentially forge system commands or manipulate energy storage operations.

💻 Affected Systems

Products:

Nuvation Energy Multi-Stack Controller (MSC)

Versions: through 2.5.1

Operating Systems: Embedded/Proprietary

Default Config Vulnerable: ⚠️ Yes

Notes: Affects energy storage control systems in industrial and utility environments.

📦 What is this software?

Nplatform by Nuvationenergy

View all CVEs affecting Nplatform →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of energy storage system allowing unauthorized control over battery operations, potential grid disruption, or safety-critical system manipulation.

🟠

Likely Case

Unauthorized access to controller functions, manipulation of energy storage/discharge schedules, or data exfiltration from the control system.

🟢

If Mitigated

Limited impact with proper network segmentation and access controls preventing external access to vulnerable systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires access to the controller system or network. Signature spoofing suggests cryptographic key compromise is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.dragos.com/community/advisories/CVE-2025-64119

Restart Required: Yes

Instructions:

1. Contact Nuvation Energy for patch availability. 2. Apply any available firmware updates. 3. Restart affected controllers after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate MSC controllers from untrusted networks and internet access.

Access Control Hardening

all

Implement strict authentication and authorization controls for controller access.

🧯 If You Can't Patch

Implement network segmentation to isolate controllers from other systems
Monitor for unusual authentication attempts or controller command patterns

🔍 How to Verify

Check if Vulnerable:

Check controller firmware version via web interface or CLI. Versions 2.5.1 and earlier are vulnerable.

Check Version:

Check via controller web interface or consult Nuvation Energy documentation

Verify Fix Applied:

Verify firmware version is updated beyond 2.5.1 through controller management interface.

📡 Detection & Monitoring

Log Indicators:

Unusual authentication patterns
Unexpected cryptographic operations
Unauthorized configuration changes

Network Indicators:

Unexpected network traffic to/from controller ports
Suspicious command and control patterns

SIEM Query:

source="controller_logs" AND (event_type="auth_failure" OR event_type="config_change")

📊 Metadata

CVE ID: CVE-2025-64122

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-522

EPSS Score: 0.02% exploit probability (4.7th percentile)

Published: January 2, 2026

Last Updated: February 26, 2026

🔗 References

https://www.dragos.com/community/advisories/CVE-2025-64119 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64122, you might also want to check these: