Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64123

CVE-2025-64123: Nuvation Energy MSC SSRF Vulnerability

CVE-2025-64123 is an SSRF vulnerability in Nuvation Energy Multi-Stack Controller (MSC) that enables network boundary bridging attacks. This article covers technical details, affected versions through 2.5.1, and mitigation.

Updated:

CVE-2025-64123 Overview

An Unintended Proxy or Intermediary vulnerability has been identified in the Nuvation Energy Multi-Stack Controller (MSC), a critical component used in energy storage and battery management systems. This vulnerability allows attackers to perform Network Boundary Bridging, potentially enabling unauthorized access to protected network segments through the affected device acting as an unintended intermediary.

The vulnerability, classified under CWE-441 (Unintended Proxy or Intermediary), represents a significant security risk in industrial control system (ICS) and operational technology (OT) environments where the Multi-Stack Controller is deployed. Attackers can leverage this flaw to bypass network segmentation controls, potentially reaching previously isolated systems.

Critical Impact

This vulnerability enables attackers to bridge network boundaries using the Multi-Stack Controller as an unintended proxy, potentially compromising the security of isolated OT/ICS network segments in energy infrastructure environments.

Affected Products

  • Nuvation Energy Multi-Stack Controller (MSC) through and including release 2.5.1

Discovery Timeline

  • 2026-01-02 - CVE-2025-64123 published to NVD
  • 2026-01-08 - Last updated in NVD database

Technical Details for CVE-2025-64123

Vulnerability Analysis

This vulnerability stems from the Multi-Stack Controller's improper handling of network traffic, allowing it to function as an unintended proxy between different network zones. The Nuvation Energy MSC, designed for battery energy storage system management, inadvertently processes and forwards network traffic in ways that violate expected network boundary controls.

The attack can be executed remotely over the network without requiring authentication or user interaction. While the vulnerability does not directly impact the confidentiality, integrity, or availability of the vulnerable system itself, it poses substantial risk to downstream systems by enabling attackers to reach previously isolated network segments.

In ICS/OT environments where the Multi-Stack Controller is deployed, this type of network boundary bridging vulnerability is particularly dangerous. Energy storage facilities typically rely on network segmentation as a primary security control to isolate critical operational systems from enterprise networks and the internet. Compromising this boundary can lead to cascading security failures across the infrastructure.

Root Cause

The root cause of this vulnerability lies in CWE-441: Unintended Proxy or Intermediary. The Multi-Stack Controller contains functionality that allows it to relay or forward network communications between different network interfaces or zones without proper validation or restriction. This behavior transforms the device into an unintended bridge between network segments that should remain isolated, effectively circumventing network security architecture designed to protect critical systems.

Attack Vector

The attack vector for CVE-2025-64123 is network-based with low complexity requirements. An attacker with network access to the vulnerable Multi-Stack Controller can exploit this vulnerability remotely without authentication credentials or any form of user interaction.

The exploitation process involves sending specially crafted network requests to the Multi-Stack Controller that cause it to forward traffic across network boundaries. By leveraging this unintended proxy functionality, attackers can:

  1. Enumerate and access systems on protected network segments
  2. Pivot through the controller to reach isolated OT/ICS networks
  3. Exfiltrate data from segmented environments
  4. Establish command and control channels through the bridged connection

For detailed technical information about this vulnerability, refer to the Dragos Security Advisory.

Detection Methods for CVE-2025-64123

Indicators of Compromise

  • Unexpected network traffic patterns originating from the Multi-Stack Controller to previously unreachable network segments
  • Connection attempts from the MSC device to internal systems outside its normal operational scope
  • Unusual proxy-like behavior or traffic forwarding through the controller's network interfaces
  • Network flow data showing the MSC acting as an intermediary for connections it should not be facilitating

Detection Strategies

  • Implement network traffic analysis to identify anomalous connections traversing the Multi-Stack Controller
  • Deploy IDS/IPS rules to detect network boundary violations involving the MSC device
  • Monitor for unexpected communication patterns between IT and OT network zones through the controller
  • Utilize SentinelOne Singularity platform for endpoint and network visibility across affected environments

Monitoring Recommendations

  • Enable comprehensive logging on network devices adjacent to the Multi-Stack Controller
  • Implement network segmentation monitoring to detect any bridging attempts between zones
  • Deploy OT-specific security monitoring solutions to track industrial protocol anomalies
  • Establish baseline network behavior for the MSC and alert on deviations

How to Mitigate CVE-2025-64123

Immediate Actions Required

  • Verify the firmware version of all deployed Nuvation Energy Multi-Stack Controllers and identify devices running version 2.5.1 or earlier
  • Implement strict firewall rules to limit the network exposure of affected MSC devices
  • Review and strengthen network segmentation controls around energy storage systems
  • Contact Nuvation Energy for information regarding patches or firmware updates addressing this vulnerability

Patch Information

Organizations should monitor the Dragos Security Advisory for updates regarding official patches from Nuvation Energy. Contact the vendor directly for current remediation guidance and timeline for security updates addressing CVE-2025-64123.

Workarounds

  • Implement additional network segmentation using firewalls or VLANs to isolate the Multi-Stack Controller from sensitive network zones
  • Apply strict access control lists (ACLs) on network devices to prevent the MSC from communicating with unauthorized destinations
  • Deploy a jump host or bastion architecture for any necessary administrative access to the controller
  • Consider implementing a unidirectional security gateway (data diode) where feasible to prevent reverse traffic flow
bash
# Example firewall rule to restrict MSC network access (adapt to your environment)
# Deny all outbound traffic from MSC except to explicitly authorized destinations
iptables -A FORWARD -s <MSC_IP_ADDRESS> -d <AUTHORIZED_MANAGEMENT_NETWORK> -j ACCEPT
iptables -A FORWARD -s <MSC_IP_ADDRESS> -j DROP

# Log any attempted boundary bridging for forensic analysis
iptables -A FORWARD -s <MSC_IP_ADDRESS> -j LOG --log-prefix "MSC_BOUNDARY_ATTEMPT: "

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne