CVE-2025-26473 Overview
CVE-2025-26473 affects the OutBack Power Mojave Inverter OGHI8048A, an industrial control system (ICS) device used in solar and battery-backed power deployments. The firmware transmits sensitive information using HTTP GET requests, exposing credentials and other secrets in URLs. URLs are commonly logged by web servers, proxies, and browser histories, making this an information disclosure vulnerability classified under [CWE-598]. The flaw was published in the CISA ICS Advisory ICSA-25-044-17 covering OutBack Power Mojave Inverter products.
Critical Impact
Remote, unauthenticated attackers on the network path can capture sensitive parameters transmitted in GET request query strings, leading to credential exposure and potential compromise of the inverter management interface.
Affected Products
- OutBack Power Mojave Inverter OGHI8048A (hardware)
- OutBack Power Mojave Inverter OGHI8048A firmware (all versions)
- Deployments exposing the inverter web interface to untrusted networks
Discovery Timeline
- 2025-02-13 - CVE-2025-26473 published to NVD alongside CISA advisory ICSA-25-044-17
- 2025-03-19 - Last updated in NVD database
Technical Details for CVE-2025-26473
Vulnerability Analysis
The Mojave Inverter web management interface uses HTTP GET requests to transmit sensitive data such as authentication parameters. Per [CWE-598] (Use of GET Request Method With Sensitive Query Strings), data placed in a URL query string is exposed in multiple locations outside the application's control. Web server access logs, intermediate proxy logs, browser history, the Referer header, and bookmarks all retain these values.
The vulnerability requires no authentication, no user interaction, and no special privileges. An attacker with network visibility to the inverter interface, or access to any logging infrastructure between the client and the device, can recover the disclosed values. The scope is limited to confidentiality, but disclosed credentials can be replayed to gain administrative control of the inverter.
Root Cause
The root cause is a design flaw in the inverter's web interface. Sensitive parameters that should travel inside the body of an HTTP POST request, ideally over TLS, are instead appended to URL query strings on GET endpoints. Because ICS devices like the Mojave Inverter are frequently deployed without HTTPS, the data also traverses the network in cleartext.
Attack Vector
Exploitation requires network access to the inverter or to a system that handles its HTTP traffic. An attacker can passively observe URLs on the wire, retrieve cached request lines from proxies and reverse proxies, or harvest values from server access logs. Once captured, credentials enable authenticated access to configuration endpoints that control inverter operation. The vulnerability mechanism is described in the CISA advisory; no public proof-of-concept code is required because the disclosure occurs in the normal request flow.
Detection Methods for CVE-2025-26473
Indicators of Compromise
- Web server access logs on or near the inverter showing query strings containing parameters such as password, token, apikey, session, or auth
- Unexpected administrative logins to the Mojave Inverter from IP addresses outside the operations network
- Configuration changes to inverter settings without a corresponding authorized change ticket
- Network captures showing cleartext HTTP traffic to the inverter management port
Detection Strategies
- Inspect packet captures from the operational technology (OT) segment for GET requests to the inverter containing credential-like query parameters
- Parse historical proxy, firewall, and SIEM logs for URLs originating from or destined to the inverter that include sensitive query string fields
- Baseline normal administrative source IPs for the inverter and alert on deviations
Monitoring Recommendations
- Forward inverter and adjacent network device logs to a centralized SIEM with OCSF normalization for correlation
- Enable full packet capture on the OT segment hosting the inverter for forensic review
- Monitor for anomalous outbound connections from engineering workstations that may indicate replayed credentials
How to Mitigate CVE-2025-26473
Immediate Actions Required
- Remove the Mojave Inverter management interface from any internet-exposed network and place it behind a firewall on an isolated OT VLAN, per CISA guidance in ICSA-25-044-17
- Require VPN access for any remote administration of the inverter
- Rotate all credentials used to administer the device, assuming prior disclosure
- Audit web server, proxy, and SIEM logs for historical exposure of credentials in URL query strings
Patch Information
At the time of the NVD entry, no vendor patch was listed. OutBack Power can be contacted through the OutBack Power Contact page for firmware update availability. Operators should subscribe to CISA ICS advisories to receive updates to ICSA-25-044-17.
Workarounds
- Restrict access to the inverter web interface to a dedicated management host using firewall ACLs
- Terminate the inverter's HTTP interface behind a reverse proxy that strips query strings from logs and enforces TLS
- Disable the web interface when not actively required for configuration changes
- Apply CISA ICS defense-in-depth recommendations, including network segmentation between IT and OT environments
# Example firewall rule restricting inverter web access to a management jump host
# Replace INVERTER_IP and MGMT_HOST with site-specific values
iptables -A FORWARD -s MGMT_HOST -d INVERTER_IP -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -d INVERTER_IP -p tcp --dport 80 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
