CVE-2025-64121: Nplatform Auth Bypass Vulnerability

CVE-2025-64121 Overview

CVE-2025-64121 is an authentication bypass vulnerability affecting the Nuvation Energy Multi-Stack Controller (MSC), a battery energy storage system (BESS) controller used in industrial and utility-scale deployments. The flaw permits unauthenticated remote attackers to reach protected functionality through an alternate path or channel, circumventing the controller's authentication layer entirely [CWE-288]. Affected releases span versions 2.3.8 through versions prior to 2.5.1. The issue impacts the nPlatform software running on the nuvMSC3-04S-C, nuvMSC3-08S-C, nuvMSC3-12S-C, and nuvMSC3-16S-C hardware platforms. Successful exploitation grants attackers control over energy storage operations, with potential cascading effects on connected grid infrastructure.

Critical Impact
Unauthenticated network attackers can bypass authentication on Nuvation Energy MSC devices, gaining full control over battery storage operations and threatening the safety of connected power systems.

Affected Products

Nuvation Energy nPlatform versions 2.3.8 through versions prior to 2.5.1
Nuvation Energy Multi-Stack Controller hardware: nuvMSC3-04S-C, nuvMSC3-08S-C
Nuvation Energy Multi-Stack Controller hardware: nuvMSC3-12S-C, nuvMSC3-16S-C

Discovery Timeline

2026-01-02 - CVE-2025-64121 published to NVD
2026-02-26 - Last updated in NVD database

Technical Details for CVE-2025-64121

Vulnerability Analysis

The vulnerability arises from an authentication bypass condition classified under [CWE-288], Authentication Bypass Using an Alternate Path or Channel. The MSC exposes functionality intended to require authentication, but a parallel access path does not enforce the same identity checks. Attackers reaching this alternate channel over the network gain access to privileged controller operations without supplying valid credentials.

The Multi-Stack Controller orchestrates multiple battery stacks within a single energy storage system. Unauthenticated access to its management functions allows adversaries to alter setpoints, disable safety interlocks, or issue charge and discharge commands. In grid-connected deployments, such tampering can destabilize local power distribution.

The vulnerability carries low attack complexity, requires no privileges, and needs no user interaction, making it suitable for opportunistic scanning of internet-exposed industrial control systems. The EPSS probability stands at 0.123% as of 2026-05-14.

Root Cause

The root cause is the presence of an alternate access path within the nPlatform firmware that omits the authentication checks enforced on the primary interface. This pattern typically results from administrative or diagnostic interfaces, legacy endpoints, or unauthenticated network services that share access to core controller logic.

Attack Vector

An attacker who can reach the MSC over the network sends requests to the alternate channel and receives access to authenticated functionality. No credentials, prior foothold, or user interaction are required. Devices placed on flat operational technology networks or exposed through misconfigured firewalls and remote access gateways are most at risk.

No verified proof-of-concept code is publicly available for this issue. Refer to the Dragos Security Advisory for technical details released by the discovering party.

Detection Methods for CVE-2025-64121

Indicators of Compromise

Unexpected configuration or setpoint changes on Multi-Stack Controller devices without corresponding operator action in audit logs.
Network connections to MSC management interfaces originating from sources outside approved engineering workstations or jump hosts.
Authentication logs showing privileged operations executed without a preceding successful login event.

Detection Strategies

Inventory all nPlatform deployments and identify any unit running a version between 2.3.8 and 2.5.1 exclusive.
Inspect controller logs for command activity that bypasses the standard login workflow or originates from unusual interfaces.
Deploy network sensors capable of parsing the protocols used by the MSC and alert on unauthenticated access to management endpoints.

Monitoring Recommendations

Continuously monitor north-south and east-west traffic to and from the MSC subnet for anomalous source addresses.
Forward controller syslog and audit data to a centralized SIEM and build alerts for privileged actions lacking authentication context.
Track firmware version and patch state of every MSC unit to confirm remediation across the fleet.

How to Mitigate CVE-2025-64121

Immediate Actions Required

Upgrade all affected Nuvation Energy MSC devices to nPlatform version 2.5.1 or later.
Remove direct internet exposure of MSC management interfaces and place devices behind a hardened firewall.
Restrict management access to a dedicated engineering VLAN reachable only through authenticated jump hosts or a VPN.

Patch Information

Nuvation Energy resolved the issue in nPlatform version 2.5.1. Operators should coordinate firmware upgrades through their normal change management process and validate controller functionality after the update. Consult the Dragos Security Advisory for vendor guidance and additional context.

Workarounds

Apply strict network segmentation between operational technology networks hosting the MSC and any corporate or internet-facing networks.
Enforce allow-list firewall rules permitting MSC management traffic only from designated engineering systems.
Disable remote management features where they are not operationally required until the patched firmware is deployed.

bash

# Example firewall allow-list restricting MSC management access
# Replace with site-specific addresses for the MSC and engineering host
iptables -A INPUT -p tcp -s 10.10.20.5 -d 10.20.30.10 --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -d 10.20.30.10 --dport 443 -j DROP