{"dataType":"CVE_RECORD","dataVersion":"5.1","cveMetadata":{"cveId":"CVE-2025-24861","assignerOrgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","state":"PUBLISHED","assignerShortName":"icscert","dateReserved":"2025-02-12T16:21:30.233Z","datePublished":"2025-02-13T21:20:05.837Z","dateUpdated":"2025-02-14T15:47:37.776Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","product":"Mojave Inverter","vendor":"Outback Power","versions":[{"status":"affected","version":"All versions"}]}],"credits":[{"lang":"en","type":"finder","value":"Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."}],"descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"An attacker may inject commands via specially-crafted post requests."}],"value":"An attacker may inject commands via specially-crafted post requests."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"NONE","baseScore":7.5,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"NONE","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]},{"cvssV4_0":{"Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","Safety":"NOT_DEFINED","attackComplexity":"LOW","attackRequirements":"NONE","attackVector":"NETWORK","baseScore":8.7,"baseSeverity":"HIGH","privilegesRequired":"NONE","providerUrgency":"NOT_DEFINED","subAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","userInteraction":"NONE","valueDensity":"NOT_DEFINED","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N","version":"4.0","vulnAvailabilityImpact":"NONE","vulnConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","vulnerabilityResponseEffort":"NOT_DEFINED"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-77","description":"CWE-77 Command Injection","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"7d14cffa-0d7d-4270-9dc0-52cabd5a23a6","shortName":"icscert","dateUpdated":"2025-02-13T21:20:05.837Z"},"references":[{"url":"https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"},{"url":"https://old.outbackpower.com/about-outback/contact/contact-us"}],"source":{"advisory":"ICSA-25-044-17","discovery":"EXTERNAL"},"title":"Outback Power Mojave Inverter Command Injection","workarounds":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n<br>"}],"value":"The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."}],"x_generator":{"engine":"Vulnogram 0.2.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2025-02-14T15:37:12.816629Z","id":"CVE-2025-24861","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2025-02-14T15:47:37.776Z"}}]}}