CVE-2025-25281 Overview
CVE-2025-25281 is an information disclosure vulnerability affecting the OutBack Power Mojave Inverter OGHI8048A. An attacker can modify URL parameters in requests to the device to extract sensitive information about the target network. The flaw is exploitable over the network without authentication or user interaction, making the device's web interface a direct exposure point in industrial control system (ICS) environments. The issue is tracked under CISA ICS Advisory ICSA-25-044-17 and categorized as [CWE-200] Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Unauthenticated remote attackers can manipulate URL parameters to retrieve sensitive network information from affected OutBack Power Mojave Inverter devices.
Affected Products
- OutBack Power Mojave Inverter OGHI8048A (hardware)
- OutBack Power Mojave Inverter OGHI8048A firmware
- Deployments referenced under CISA ICS Advisory ICSA-25-044-17
Discovery Timeline
- 2025-02-13 - CVE-2025-25281 published to the National Vulnerability Database
- 2025-04-10 - Last updated in NVD database
Technical Details for CVE-2025-25281
Vulnerability Analysis
The Mojave Inverter exposes a web management interface that processes URL parameters without enforcing proper authorization or output filtering. By modifying request URLs, an attacker can cause the device to return data describing the target network. The vulnerability falls under [CWE-200], Exposure of Sensitive Information to an Unauthorized Actor, with confidentiality as the primary impact. Integrity and availability of the device are not affected based on the advisory data. EPSS data indicates a probability of 0.212% at the 43.62 percentile, reflecting limited public exploitation signals at this time.
Root Cause
The device fails to enforce access controls on URL-driven endpoints that return network-related data. Parameters submitted in requests are honored without verifying the requester's identity or restricting the scope of data returned. This design omission allows direct enumeration of sensitive information through trivial URL manipulation.
Attack Vector
An unauthenticated attacker with network reachability to the inverter sends crafted HTTP requests to the management interface. By altering query parameters or path segments, the attacker retrieves information that should be restricted to authorized operators. Exposure increases substantially when the device is reachable from untrusted networks or the public internet.
No verified public proof-of-concept code is available. Refer to CISA ICS Advisory ICSA-25-044-17 for technical context.
Detection Methods for CVE-2025-25281
Indicators of Compromise
- Unexpected HTTP GET requests to the Mojave Inverter management interface containing modified or enumerated URL parameters.
- Requests originating from external or non-operational source IP ranges to the inverter's web service.
- Bursts of sequential parameter values suggesting automated enumeration.
Detection Strategies
- Inspect inverter web server access logs for anomalous parameter values or paths not used by legitimate operator workflows.
- Deploy network intrusion detection signatures on the operational technology (OT) segment to flag unauthenticated HTTP queries to inverter endpoints.
- Baseline normal management traffic patterns and alert on deviations such as new client IPs or request rates.
Monitoring Recommendations
- Forward inverter and firewall logs to a centralized SIEM for correlation against authorized operator sessions.
- Monitor egress and ingress on the ICS segment for any direct internet exposure of the inverter.
- Track authentication and access events on adjacent ICS assets to detect lateral activity following reconnaissance.
How to Mitigate CVE-2025-25281
Immediate Actions Required
- Remove the Mojave Inverter from direct internet exposure and place it behind a firewall or VPN as recommended by CISA.
- Restrict management interface access to a dedicated administrative network segment and known operator workstations.
- Contact OutBack Power via the OutBack Power Contact Page for vendor guidance and remediation status.
Patch Information
No vendor patch is referenced in the advisory data available at publication. Asset owners should follow the defensive measures detailed in CISA ICS Advisory ICSA-25-044-17 and engage OutBack Power directly for firmware update availability.
Workarounds
- Enforce network segmentation between business systems and the ICS network hosting the inverter.
- Require VPN with multifactor authentication for any remote management access to the device.
- Apply allowlists on perimeter and ICS firewalls so that only authorized IP addresses can reach the inverter's web interface.
- Disable or restrict the web management interface when not actively required for operations.
# Example firewall allowlist for the inverter management interface
# Replace placeholders with site-specific values
iptables -A INPUT -p tcp -s 10.10.20.0/24 -d <inverter_ip> --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -d <inverter_ip> --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
