CVE-2025-25281 - Vulnerability Details - OpenCVE

An attacker may modify the URL to discover sensitive information about the target network.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact High

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable yes

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://old.outbackpower.com/about-outback/contact/contact-us
https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17

History

Fri, 14 Feb 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 13 Feb 2025 21:30:00 +0000

Type	Values Removed	Values Added
Description		An attacker may modify the URL to discover sensitive information about the target network.
Title		Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor
Weaknesses		CWE-200
References		https://old.outbackpower.com/about-outback/contact/contact-us https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: icscert

Published: 2025-02-13T21:18:56.425Z

Updated: 2025-02-14T15:47:48.300Z

Reserved: 2025-02-12T16:21:30.252Z

Link: CVE-2025-25281

Vulnrichment

Updated: 2025-02-14T15:37:16.966Z

NVD

Status : Received

Published: 2025-02-13T22:15:13.263

Modified: 2025-02-13T22:15:13.263

Link: CVE-2025-25281

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-25281", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "state": "PUBLISHED", "assignerShortName": "icscert", "dateReserved": "2025-02-12T16:21:30.252Z", "datePublished": "2025-02-13T21:18:56.425Z", "dateUpdated": "2025-02-14T15:47:48.300Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Mojave Inverter", "vendor": "Outback Power", "versions": [{"status": "affected", "version": "All versions"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "An attacker may modify the URL to discover sensitive information about the target network."}], "value": "An attacker may modify the URL to discover sensitive information about the target network."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.7, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-13T21:18:56.425Z"}, "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"}, {"url": "https://old.outbackpower.com/about-outback/contact/contact-us"}], "source": {"advisory": "ICSA-25-044-17", "discovery": "EXTERNAL"}, "title": "Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n<br>"}], "value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired."}], "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-14T15:37:15.584581Z", "id": "CVE-2025-25281", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-14T15:47:48.300Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-25281", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-14T15:37:15.584581Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-14T15:37:16.966Z"}}], "cna": {"title": "Outback Power Mojave Inverter Exposure of Sensitive Information to an Unauthorized Actor", "source": {"advisory": "ICSA-25-044-17", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Jon Hurtado of Sandia National Laboratory reported these vulnerabilities to CISA."}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Outback Power", "product": "Mojave Inverter", "versions": [{"status": "affected", "version": "All versions"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"}, {"url": "https://old.outbackpower.com/about-outback/contact/contact-us"}], "workarounds": [{"lang": "en", "value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.", "supportingMedia": [{"type": "text/html", "value": "The Mojave Inverter was a product of Enersys. When Outback Power was \nsplit off from Enersys recently, Mojave Inverter was moved to Outback \nPower, but without the resources to maintain the product. Outback Power \nmay discontinue this product and has not yet addressed these \nvulnerabilities. CISA recommends disabling the networking features of \nthis product until a replacement product can be acquired.\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "An attacker may modify the URL to discover sensitive information about the target network.", "supportingMedia": [{"type": "text/html", "value": "An attacker may modify the URL to discover sensitive information about the target network.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "shortName": "icscert", "dateUpdated": "2025-02-13T21:18:56.425Z"}}}, "cveMetadata": {"cveId": "CVE-2025-25281", "state": "PUBLISHED", "dateUpdated": "2025-02-14T15:47:48.300Z", "dateReserved": "2025-02-12T16:21:30.252Z", "assignerOrgId": "7d14cffa-0d7d-4270-9dc0-52cabd5a23a6", "datePublished": "2025-02-13T21:18:56.425Z", "assignerShortName": "icscert"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "An attacker may modify the URL to discover sensitive information about the target network."}], "id": "CVE-2025-25281", "lastModified": "2025-02-13T22:15:13.263", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "NONE", "subsequentSystemIntegrity": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "HIGH", "vulnerableSystemIntegrity": "NONE"}, "source": "ics-cert@hq.dhs.gov", "type": "Secondary"}]}, "published": "2025-02-13T22:15:13.263", "references": [{"source": "ics-cert@hq.dhs.gov", "url": "https://old.outbackpower.com/about-outback/contact/contact-us"}, {"source": "ics-cert@hq.dhs.gov", "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-044-17"}], "sourceIdentifier": "ics-cert@hq.dhs.gov", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "ics-cert@hq.dhs.gov", "type": "Primary"}]}