CVE-2025-64123

Published: Jan 2, 2026Modified: Feb 26, 2026

7.9

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:X/R:X/V:X/RE:X/U:XShow less

Source: ot-cert@dragos.com (Secondary)

Description

Unintended Proxy or Intermediary vulnerability in Nuvation Energy Multi-Stack Controller (MSC) allows Network Boundary Bridging.This issue affects Multi-Stack Controller (MSC): through and including release 2.5.1.

Affected (1)

Products: Nuvationenergy: Nplatform

Nuvationenergy

1 product

Nplatform

Configuration A

1 vulnerable · 4 platform

Vulnerable Software	Affected Versions
Nuvationenergy Nplatform	Up to 2.5.1

Running on/with	Platform Versions
Nuvationenergy Nuvmsc3 04s C	All versions
Nuvationenergy Nuvmsc3 08s C	All versions
Nuvationenergy Nuvmsc3 12s C	All versions
Nuvationenergy Nuvmsc3 16s C	All versions

Related CWEs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.

References (1)

https://www.dragos.com/community/advisories/CVE-2025-64119

Source: ot-cert@dragos.com

Third Party Advisory

Timeline

No history available yet.